我正在尝试为通过Cloud Forming连接到用户池的身份池定义授权/未经授权的角色。我正在使用以下说明:https://docs.amplify.aws/lib/storage/getting-started/q/platform/js#using-amazon-s3
但是到目前为止,我还没有成功。当UI使用身份池ID调用Amplify.configure时,我得到“无效的身份池配置。检查为此池分配的IAM角色。”
这是我所拥有的:
MyCognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
...
MyCognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId: !Ref MyCognitoUserPool
GenerateSecret: false
MyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
CognitoIdentityProviders:
- ClientId: !Ref MyCognitoUserPoolClient
ProviderName: !GetAtt MyCognitoUserPool.ProviderName
MyIdentityPoolAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- authenticated
Policies:
- PolicyName: identity-pool-auth-cognito-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-identity:*
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-auth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:DeleteObject
- s3:GetObject
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- Fn::Sub:
- '${documentBucket}/protected/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- Fn::Sub:
- '${documentBucket}/private/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- PolicyName: identity-pool-auth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
- 'private/${cognito-identity.amazonaws.com:sub}/'
- 'private/${cognito-identity.amazonaws.com:sub}/*'
MyIdentityPoolUnAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- unauthenticated
Policies:
- PolicyName: identity-pool-unauth-sync-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-unauth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- Fn::Sub:
- '${documentBucket}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
MyIdentityPoolRoleAtt:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref MyIdentityPool
Roles:
"authenticated": !GetAtt MyIdentityPoolAuthRole.Arn
"unauthenticated": !GetAtt MyIdentityPoolUnAuthRole.Arn
```
对我来说,您的Auth和Unauth角色的信任策略存在一些问题:
首先,角色允许的Action
应该是sts:AssumeRoleWithWebIdentity
,而不是sts:AssumeRole
。
AssumeRole
为现有IAM用户提供其他临时权限。 AssumeRole需要现有的有效IAM用户凭据。AssumeRoleWithWebIdentity
为已通过某些Web身份提供商认证的应用程序用户(例如Cognito用户池或Facebook等)提供临时凭据。第二,您的信任策略的条件部分应如下所示:
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !Ref MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- authenticated # or unauthenticated
cognito-identity.amazonaws.com:aud
部分将此角色的分配限制为特定身份池成员的用户,而您正在引用S3存储桶的arn。