AWS Cognito：调用 getOpenIdToken() 时禁止访问身份

Question

成功获取cognito身份后，我们再尝试获取openIdToken()

AWS.config.credentials.get(function(err) {
    if (!err) {
      var cognitoIdentity = new AWS.CognitoIdentity();
      cognitoIdentity.getOpenIdToken({IdentityId: AWS.config.credentials.identityId}, function(err, data) {
        if (err) console.log(err, err.stack); // an error occurred
        else     console.log(data);           // successful response
      });

    } else {
      console.log('cognito error: ' + err);
    }
  });

但是，这失败了：

"NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.

完整的错误跟踪：

    POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request)
    aws-sdk.min.js:5 [AWS cognitoidentity 400 0.192s 0 retries] getOpenIdToken({IdentityId: 'us-east-1:xxxxx' })
routing.html:64 Error: Access to Identity 'us-east-1:xxxxx' is forbidden.
    at a (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:3548)
    at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28594)
    at r.SequentialExecutor.r.util.inherit.emit (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28390)
    at a.Request.n.emitEvent (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16483)
    at u.setupStates.e (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12946)
    at r.runTo (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25031)
    at https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25238
    at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12982)
    at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16538)
    at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28607) "NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.

Answer 1

此错误的两个最常见原因是：

• 您尚未在身份池配置中正确设置角色。
• 您正在尝试获取经过身份验证的身份的令牌，而不从身份提供商提供令牌。

请检查您的代码是否存在上述两种情况，如果错误仍然存​​在，请私信我您的identityId/identityPoolId，我将很乐意深入挖掘。

谢谢，
拉吉特