amazon-web-services - Cognito 凭证无权执行 Execute api

标签 amazon-web-services aws-api-gateway amazon-cognito serverless-framework

我正在尝试使用 AWS Cognito 组创建基于角色的访问控制。我定义了以下角色和策略来拒绝对资源的访问

CognitoAuthRole:
      Type: AWS::IAM::Role
      Properties:
        Path: /
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal:
                Federated: "cognito-identity.amazonaws.com"
              Action:
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals:
                  "cognito-identity.amazonaws.com:aud":
                    Ref: CognitoIdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": authenticated
        Policies:
          - PolicyName: "CognitoAuthorizedPolicy"
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: "Deny"
                  Action: "*"
                  Resource: "*"

然后我创建了一个名为 admin incognito user pool 的组,并分配了一个具有策略的角色,让用户调用 API,如下所示
CognitoUserPoolGroupAdmin:
  Type: AWS::Cognito::UserPoolGroup
  Properties:
    UserPoolId:
      Ref: CognitoUserPool
    GroupName: Admin
    Precedence: 0
    RoleArn:
      Fn::GetAtt:
        - AdminRole
        - Arn

AdminRole:
      Type: AWS::IAM::Role
      Properties:
        Path: /
        RoleName: AdminRole
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal:
                Federated: "cognito-identity.amazonaws.com"
              Action:
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals:
                  "cognito-identity.amazonaws.com:aud":
                    Ref: CognitoIdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": authenticated
        Policies:
          - PolicyName: CognitoAdminPolicy
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: "Allow"
                  Action:
                    - "execute-api:Invoke"
                  Resource:
                    - arn:aws:execute-api:ap-south-1:****:***/*/GET/user

然后我创建了一个用户并添加到组管理员并获得临时凭据,然后尝试调用 API 并在 postman 中出现以下 403 错误

"User: arn:aws:sts::******:assumed-role/auth-service-dev-CognitoAuthRole-1JO2U7LKRJRBB/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:ap-south-1:********2015:****/dev/GET/user with an explicit deny"



这运行良好,并在移除和重新部署云形成堆栈后开始导致此错误。

最佳答案

根据评论,问题是 explicit deny .来自 docs :

If the code finds even one explicit deny that applies, the code returns a final decision of Deny.



基本上,explicit deny总是胜过任何allow .

关于amazon-web-services - Cognito 凭证无权执行 Execute api,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60735652/

上一篇:node.js - Puppeteer 通过多个页面并行抓取

下一篇:algolia:algoliasearch 没有调用签名

相关文章:

amazon-web-services - EKS 支持哪些 EC2 实例类型?

sql - "Data Load"或 "ETL"的工具——从 SQL Server 到 Amazon Redshift

amazon-web-services - 如何正确响应对 AWS API 网关的 axios 请求

amazon-web-services - 使用 Amazon Cognito 进行 Hasura Webhook 身份验证

python - 使用 admin_create_user 创建的 Cognito 帐户无法登录。是否有已知的修复方法?

amazon-web-services - 用户登录时登录抛出 'Incorrect username or password' 错误

amazon-web-services - AWS Route53 - 委托(delegate)子域

ios - 将图像从 Parse 移至 S3 AWS

amazon-web-services - AWS lambda : Passing data from custom authorizer to business lambda

linux - aws api gateway cli 更新集成请求因 $ 参数而失败

©2024 IT工具网  联系我们