Mon*_*ffy 6 amazon-web-services amazon-cognito aws-api-gateway serverless-framework
我正在尝试使用 AWS Cognito 组创建基于角色的访问控制。我定义了以下角色和策略来拒绝对资源的访问
CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: "CognitoAuthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Deny"
Action: "*"
Resource: "*"
然后我创建了一个名为 admin 隐身用户池的组,并分配一个带有策略的角色,让用户调用 API,如下所示
CognitoUserPoolGroupAdmin:
Type: AWS::Cognito::UserPoolGroup
Properties:
UserPoolId:
Ref: CognitoUserPool
GroupName: Admin
Precedence: 0
RoleArn:
Fn::GetAtt:
- AdminRole
- Arn
AdminRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: AdminRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: CognitoAdminPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "execute-api:Invoke"
Resource:
- arn:aws:execute-api:ap-south-1:****:***/*/GET/user
然后我创建了一个用户并添加到管理员组并获得了临时凭据,然后尝试调用 API 并在邮递员中收到以下 403 错误
“用户:arn:aws:sts::******:assumed-role/auth-service-dev-CognitoAuthRole-1JO2U7LKRJRBB/CognitoIdentityCredentials 无权执行:execute-api:Invoke 资源:arn:aws: execute-api:ap-south-1:********2015:****/dev/GET/user 并明确拒绝”
这工作正常,并在删除并重新部署云形成堆栈后开始导致此错误。
| 归档时间: |
|
| 查看次数: |
2207 次 |
| 最近记录: |