node.js - AWS Cognito 与无服务器框架
问题描述
我正在尝试将 Cognito 实现到我的 nodejs 应用程序中,以使用无服务器框架进行用户管理。我一直在配置 IdentityPoolRoleAttachment。我对 cognito/fb/google 提供的身份有一个角色,这就是我想出的:
CognitoIdentityPoolRoleAttachment:
DependsOn: UserPoolAuthenticatedRole
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPoolStandardUserIdentityPool
RoleMappings:
"cognito-identity.amazonaws.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- UserPoolAuthenticatedRole
- UserPoolUnauthenticatedRole
"graph.facebook.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- FacecookAuthenticatedRole
- FacecookUnauthenticatedRole
"accounts.google.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- GoogleAuthenticatedRole
- GoogleUnauthenticatedRole
谷歌搜索和搜索文档仅显示如何仅使用 Cognito 用户池配置附件,如何添加 FB/Google 角色?如果我尝试部署它,它会失败:
ServerlessError: An error occurred: CognitoIdentityPoolRoleAttachment - Internal Failure.
这没什么帮助。任何投入将不胜感激。
这是完整的配置以防万一:
CognitoUserPoolStandardUserPool:
Type: AWS::Cognito::UserPool
Properties:
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireSymbols: false
RequireUppercase: true
Schema:
#- Name: name
# AttributeDataType: String
# Mutable: true
# Required: true
- Name: email
AttributeDataType: String
Mutable: false
Required: true
AutoVerifiedAttributes:
- email
CognitoUserPoolClientStandardUserPoolClient:
DependsOn: CognitoUserPoolStandardUserPool
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: Standard_Users
UserPoolId:
Ref: CognitoUserPoolStandardUserPool
RefreshTokenValidity: 1
GenerateSecret: false
CognitoIdentityPoolStandardUserIdentityPool:
DependsOn: CognitoUserPoolClientStandardUserPoolClient
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: false
SupportedLoginProviders:
"graph.facebook.com": ${self:provider.config.FB_APP_ID}
"accounts.google.com": ${self:provider.config.GOOGL_WEB_ID}
CognitoIdentityProviders:
- ClientId:
Ref: CognitoUserPoolClientStandardUserPoolClient
ProviderName:
Fn::GetAtt:
- CognitoUserPoolStandardUserPool
- ProviderName
ServerSideTokenCheck: true
# Authentiacted users can call API Gateway
UserPoolAuthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
RoleName: UserPoolAuthRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPoolStandardUserIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: UserPoolAuthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "*"
MaxSessionDuration: 3600
FacebookAuthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
RoleName: FacebookAuthRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "graph.facebook.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"graph.facebook.com:app_id": ${self:provider.config.FB_APP_ID}
Policies:
- PolicyName: FacebookAuthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "*"
MaxSessionDuration: 3600
GoogleAuthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
RoleName: GoogleAuthRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "accounts.google.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"accounts.google.com:aud": ${self:provider.config.GOOGL_WEB_ID}
Policies:
- PolicyName: GoogleAuthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "*"
MaxSessionDuration: 3600
# Unauthenticated users can only authenticate
UserPoolUnauthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPoolStandardUserIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: UserPoolUnauthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-identity:*"
Resource: "*"
MaxSessionDuration: 3600
FacecookUnauthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "graph.facebook.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": ${self:provider.config.FB_APP_ID}
Policies:
- PolicyName: FacebookUnauthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-identity:*"
Resource: "*"
MaxSessionDuration: 3600
GoogleUnauthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "accounts.google.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": ${self:provider.config.GOOGL_WEB_ID}
Policies:
- PolicyName: GoogleUnauthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-identity:*"
Resource: "*"
MaxSessionDuration: 3600
CognitoIdentityPoolRoleAttachment:
DependsOn: UserPoolAuthenticatedRole
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPoolStandardUserIdentityPool
RoleMappings:
"cognito-identity.amazonaws.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- UserPoolAuthenticatedRole
- UserPoolUnauthenticatedRole
"graph.facebook.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- FacecookAuthenticatedRole
- FacecookUnauthenticatedRole
"accounts.google.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- GoogleAuthenticatedRole
- GoogleUnauthenticatedRole
解决方案
推荐阅读
- mysql - 计算mysql中的连续行
- django - 在 Django 中为除用户以外的模型创建身份验证系统
- graphql - 如何使用 Amplify 为 GraphQL API (AWS AppSync) 生成类
- php - 如何使用codeigniter 4框架在mysql数据库中插入多行?
- android - 如何将 `android` Kotlin DSL 添加到 buildSrc 模块中的类路径?
- windows - 有没有办法在 Kivy 中绘制一个平滑的 RoundedRectangle?
- python - 当所有内容都是数字python时替换值
- java - 当我们从另一个 char 整数中减去一个 char 整数时会发生什么?
- apache-spark - Pyspark:在窗口中拼接多个事件行
- javascript - 如何在 RxJs (BehaviourSubject) 中使用 TypeScript 进行严格的类型检查?