承担 Cognito 组的 IAM 角色

bee*_*est 4 c# amazon-web-services amazon-iam amazon-cognito

是否可以承担iam-role1链接到Cognito 用户池中的cognito-group1Cognito 用户的Cognito 组的 IAM 角色?cognito-user1cognito-user-pool1

我的配置:

Cognito 用户池cognito-user-pool1

  • Cognito 用户cognito-user1属于cognito-group1
  • Cognito 组cognito-group1已分配给iam-role1

Cognito 身份池cognito-identity-pool1

  • 身份验证提供商:cognito-user-pool1
  • 已验证角色 =iam-role1

我是:

  • IAM 角色iam-role1具有访问 S3 ReadOnly 的策略

此代码允许我向 Cognito 用户池进行身份验证:

AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient();
            CognitoUserPool userPool = new CognitoUserPool("user-pool-id", "client-id", provider);
            CognitoUser user = new CognitoUser("cognito-user1", "client-id", userPool, provider);
            InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest()
            {
                Password = "cognito-password1"
            };

            AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(authRequest);
Run Code Online (Sandbox Code Playgroud)

cognito-identity-pool1然后从链接到认知用户池的认知身份池获取凭据cognito-user-pool1

CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1); 
using (var client = new AmazonS3Client(credentials))
...
Run Code Online (Sandbox Code Playgroud)

bee*_*est 5

当用户通过 Cognito 用户池进行身份验证时cognito-user-pool1,id 令牌包括 cognito 组和 iam 角色:

"cognito:groups": [
    "cognito-group1"
  ],
"cognito:roles": [
    "arn:aws:iam::xxx:role/iam-role1"
  ],
Run Code Online (Sandbox Code Playgroud)

我们需要配置 Cognito 身份池,以便在用户经过身份验证时从令牌中选择角色: 在此输入图像描述

我们还需要通过编辑 IAM 角色中的信任关系来允许 Cognito 身份池承担此角色iam-role1

{
  "Version": "2012-10-17",
  "Statement": [
    ...
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity"
    }
  ]
}
Run Code Online (Sandbox Code Playgroud)

在此输入图像描述