我正在尝试使用 AWS Cognito 组创建基于角色的访问控制。我定义了以下角色和策略来拒绝对资源的访问
CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: "CognitoAuthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Deny"
Action: "*"
Resource: "*"
然后我创建了一个名为 admin incognito user pool 的组,并分配了一个具有策略的角色,让用户调用 API,如下所示
CognitoUserPoolGroupAdmin:
Type: AWS::Cognito::UserPoolGroup
Properties:
UserPoolId:
Ref: CognitoUserPool
GroupName: Admin
Precedence: 0
RoleArn:
Fn::GetAtt:
- AdminRole
- Arn
AdminRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: AdminRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: CognitoAdminPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "execute-api:Invoke"
Resource:
- arn:aws:execute-api:ap-south-1:****:***/*/GET/user
然后我创建了一个用户并添加到组管理员并获得临时凭据,然后尝试调用 API 并在 postman 中出现以下 403 错误
"User: arn:aws:sts::******:assumed-role/auth-service-dev-CognitoAuthRole-1JO2U7LKRJRBB/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:ap-south-1:********2015:****/dev/GET/user with an explicit deny"
这运行良好,并在移除和重新部署云形成堆栈后开始导致此错误。
最佳答案
根据评论,问题是 explicit deny
.来自 docs :
If the code finds even one explicit deny that applies, the code returns a final decision of Deny.
基本上,
explicit deny
总是胜过任何allow
.
关于amazon-web-services - Cognito 凭证无权执行 Execute api,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60735652/