amazon-web-services - CognitoIdentityCredentials 无权执行:apigateway:GET 资源:arn:aws:apigateway:eu-west-1::/restapis
问题描述
当我尝试使用 AWS Amplify Javascript SDK 访问 AWS apigateway 资源时,有人可以帮助指出问题可能是什么。
当用户登录平台(我正在构建的门户)时 - AuthRole 承担的角色能够根据权限加载 API 目录,以允许对所有 apigateway 资源进行读取访问。政策如下所示:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"appsync:*",
"apigateway:GET",
"apigateway:POST",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:PUT",
"cloudformation:CreateStack",
"cloudformation:CreateStackSet",
"cloudformation:DeleteStack",
"cloudformation:DeleteStackSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:UpdateStackSet",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"cloudfront:CreateDistribution",
"cloudfront:DeleteCloudFrontOriginAccessIdentity",
"cloudfront:DeleteDistribution",
"cloudfront:GetCloudFrontOriginAccessIdentity",
"cloudfront:GetCloudFrontOriginAccessIdentityConfig",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateCloudFrontOriginAccessIdentity",
"cloudfront:UpdateDistribution",
"cognito-identity:CreateIdentityPool",
"cognito-identity:DeleteIdentityPool",
"cognito-identity:DescribeIdentity",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:SetIdentityPoolRoles",
"cognito-identity:UpdateIdentityPool",
"cognito-idp:CreateUserPool",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:DeleteUserPool",
"cognito-idp:DeleteUserPoolClient",
"cognito-idp:DescribeUserPool",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:GetUser",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:UpdateRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"s3:*",
"amplify:*"
],
"Resource": "*"
}
]
}
上述策略与 authRole(用户通过身份验证时的角色)相关联,并且与以下代码一起按预期工作:
public async configureAwsIdentityCredentials(): Promise<boolean> {
const sessionUser = await Auth.currentAuthenticatedUser();
const idToken = sessionUser.signInUserSession.idToken.jwtToken;
const cognitoParams = {IdentityPoolId: environment.appClient.identityPoolId, Logins: {}};
cognitoParams.Logins[environment.cognitoIdpUrl + environment.appClient.userPoolId] = idToken;
AWS.config.credentials = new AWS.CognitoIdentityCredentials(cognitoParams);
return of(true).toPromise();
}
当我需要在没有未经身份验证的用户的情况下从 AWS 提取资源时,问题就出现了——我在身份池上启用了未经身份验证的访问,并将上述策略附加到 unauthRole。运行以下代码时,我收到了一个 AWS.ICredentials 的实例......虽然当我运行应用程序时,我收到拒绝访问错误......下面是未经身份验证的访问的片段:
public async configureCurrentCreditialsWithoutLogin(): Promise<boolean> {
const credentials = await Auth.currentCredentials();
AWS.config.credentials = credentials;
return of(true).toPromise();
}
附上图像上控制台错误的文本内容:
错误 错误:“未捕获(承诺中):AccessDeniedException:用户:arn:aws:sts::XXXX:assumed-role/amplify-XXXX-unauthRole/CognitoIdentityCredentials 无权执行:apigateway:GET 资源:arn:aws: apigateway:eu-west-1::/restapis
请查看来自 Cloudtrail 的以下错误事件(Auth 和 unauth): Auth:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAUKJTJFOLBWD5XZVSP:CognitoIdentityCredentials",
"arn": "arn:aws:sts::xxx:assumed-role/xxx-authRole/CognitoIdentityCredentials",
"accountId": "xxx",
"accessKeyId": "xxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAUKJTJFOLBWD5XZVSP",
"arn": "arn:aws:iam::xxx:role/xxx-authRole",
"accountId": "xxx",
"userName": "xxx-authRole"
},
"webIdFederationData": {
"federatedProvider": "cognito-identity.amazonaws.com",
"attributes": {
"cognito-identity.amazonaws.com:amr": "[\"authenticated\",\"cognito-idp.eu-west-1.amazonaws.com/eu-west-1_cCdLTN7nA\",\"cognito-idp.eu-west-1.amazonaws.com/eu-west-1_cCdLTN7nA:CognitoSignIn:6c6f8c2e-d7e9-4e31-99dd-0c46898fd9a2\"]",
"cognito-identity.amazonaws.com:aud": "eu-west-1:2a0fcef4-dd19-4db5-955f-5e1a2865f821",
"cognito-identity.amazonaws.com:sub": "eu-west-1:d5a7dc54-67f9-4b9e-9993-91e2cfa9d624"
}
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-10T14:58:43Z"
}
}
},
"eventTime": "2020-06-10T14:58:44Z",
"eventSource": "apigateway.amazonaws.com",
"eventName": "GetRestApis",
"awsRegion": "eu-west-1",
"sourceIPAddress": "41.113.113.159",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"requestParameters": {
"limit": 20,
"template": false
},
"responseElements": null,
"requestID": "db448c52-dd00-4c51-af23-e3e51c934407",
"eventID": "b6aa7c4b-120e-49a8-b81c-2256f7ee4491",
"readOnly": true,
"eventType": "AwsApiCall",
"recipientAccountId": "xxx"
}
未经授权:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAUKJTJFOLPFSCSBJPE:CognitoIdentityCredentials",
"arn": "arn:aws:sts::xxx:assumed-role/xxx-unauthRole/CognitoIdentityCredentials",
"accountId": "xxx",
"accessKeyId": "xxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAUKJTJFOLPFSCSBJPE",
"arn": "arn:aws:iam::xxx:role/xxx-unauthRole",
"accountId": "xxx",
"userName": "xxx-unauthRole"
},
"webIdFederationData": {
"federatedProvider": "cognito-identity.amazonaws.com",
"attributes": {
"cognito-identity.amazonaws.com:amr": "[\"unauthenticated\"]",
"cognito-identity.amazonaws.com:aud": "eu-west-1:2a0fcef4-dd19-4db5-955f-5e1a2865f821",
"cognito-identity.amazonaws.com:sub": "eu-west-1:05fe8797-163f-4cee-98c1-754ad268d83b"
}
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-10T14:58:00Z"
}
}
},
"eventTime": "2020-06-10T14:58:01Z",
"eventSource": "apigateway.amazonaws.com",
"eventName": "GetRestApis",
"awsRegion": "eu-west-1",
"sourceIPAddress": "169.0.135.161",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::xxx:assumed-role/xxx-unauthRole/CognitoIdentityCredentials is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:eu-west-1::/restapis",
"requestParameters": null,
"responseElements": null,
"requestID": "e9091a88-dc61-4999-8683-336fbf4fbc74",
"eventID": "977ca45c-559e-4a31-9960-41accfb1aaa7",
"readOnly": true,
"eventType": "AwsApiCall",
"recipientAccountId": "xxx"
}
解决方案
推荐阅读
- codeigniter-3 - 严重性:通知消息:未定义变量:数据文件名:frontend/v_grafik.php 行号:17
- react-native - 当想要在原生平台的应用商店上发布 react-native 应用时,澄清部署工作流程?
- javascript - 如何为我的自定义库组件正确加载字体系列?
- eclipse - 在我的项目中使用 Jsoup 库时遇到问题
- django - 有没有办法将过滤器应用于使用 Django 中的 URL 标签生成的 URL?
- django - 'str' 对象没有使用 Django Rest 框架的属性 'items'
- javascript - 数组拆分
- haskell - 伊德里斯有 MaybeT 吗?
- php - for 循环上的 DateTime->modify('+1 day') 更改另一个变量
- kendo-ui - 在剑道 ui 网格中获取 id