承担 Cognito 组的 IAM 角色
bee*_*est 4 c# amazon-web-services amazon-iam amazon-cognito
是否可以承担iam-role1链接到Cognito 用户池中的cognito-group1Cognito 用户的Cognito 组的 IAM 角色?cognito-user1cognito-user-pool1
我的配置:
Cognito 用户池cognito-user-pool1:
- Cognito 用户
cognito-user1属于cognito-group1 - Cognito 组
cognito-group1已分配给iam-role1。
Cognito 身份池cognito-identity-pool1:
- 身份验证提供商:
cognito-user-pool1 - 已验证角色 =
iam-role1
我是:
- IAM 角色
iam-role1具有访问 S3 ReadOnly 的策略
此代码允许我向 Cognito 用户池进行身份验证:
AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient();
CognitoUserPool userPool = new CognitoUserPool("user-pool-id", "client-id", provider);
CognitoUser user = new CognitoUser("cognito-user1", "client-id", userPool, provider);
InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest()
{
Password = "cognito-password1"
};
AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(authRequest);
cognito-identity-pool1然后从链接到认知用户池的认知身份池获取凭据cognito-user-pool1:
CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1);
using (var client = new AmazonS3Client(credentials))
...
当用户通过 Cognito 用户池进行身份验证时cognito-user-pool1,id 令牌包括 cognito 组和 iam 角色:
"cognito:groups": [
"cognito-group1"
],
"cognito:roles": [
"arn:aws:iam::xxx:role/iam-role1"
],
我们需要配置 Cognito 身份池,以便在用户经过身份验证时从令牌中选择角色:
我们还需要通过编辑 IAM 角色中的信任关系来允许 Cognito 身份池承担此角色iam-role1:
{
"Version": "2012-10-17",
"Statement": [
...
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
}
| 归档时间: |
|
| 查看次数: |
4144 次 |
| 最近记录: |