我有一个移动应用程序,其中的用户通过AWS Cognito进行身份验证,并且最终进入用户池。他们能够将对象放入存储桶中没问题,但是它们不能删除。我要为每个登录的用户删除存储桶中的文件。
文件的路径例如是:my_bucket_name/protected/eu-west-2:de55c2rf-8f1e-836d-88f9-82da662aau6dt/videos/video1
要删除,我称之为:
import { Storage } from 'aws-amplify';
。。。
delFromS3 = async () => {
Storage.remove('protected/eu-west-2:de55c2rf-8f1e-836d-88f9-82da662aau6dt/videos/video1')
.then(result => console.log('Deleted Video from S3'))
.catch(err => console.log('Deleting video from S3 error: ', err));
}
我在调用此消息时一直收到错误访问被拒绝,所以我添加了存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::my_bucket_name/*"
}
]
}
此函数返回结果的唯一时间是当我放置"Principal": "*"
时,但这使我的存储桶对任何人都变为PUBLIC,我不想这样做。它还不接受此作为有效的Prinipal政策:
"Principal": { "AWS": [ "arn:aws:cognito-idp:eu-west-2:968257789397:userpool/eu-west-2_2ecGAT74q" ] }.
所以我需要知道正确的主体是什么。
所以,我要么需要一种方法就可以授权cognito用户池中的用户删除对象。或者因为我手动知道每个用户子存储区中文件的路径(例如/protected/eu-west-2:de55c2rf-8f1e-836d-88f9-82da662aau6dt/videos/video1
),只需在我的delFromS3()
函数中传递该路径即可。我的存储桶策略应读什么?我在这里还缺少什么?
请帮助!
我将为诸如DELETE之类的操作创建一个IAM用户,并使用您的认知ID仅用于访问。对于IAM用户,您的Principal如下所示:
"Principal": {
"AWS": "arn:aws:iam::841367581918:user/your-iam-name"
},
您将在api文件顶部为该用户提供accessKey,如下所示:
const AWS = require('aws-sdk');
const s3 = new AWS.S3();
s3.config.update({
region: process.env.BUCKET_REGION,
accessKeyId: process.env.IAM_ACCESS_KEY,
secretAccessKey: process.env.IAM_SECRET_KEY
});
然后删除对象:
deleteObject: async (req, res) => {
const bucket = process.env.YOUR_BUCKET;
try {
// delete record in DB
//....
let cognitoId = req.user.cognitoId;
let key = cognitoId + '/' + path; // my folder name is user's cognitoId and path is the rest of url.
const params = {
Bucket: bucket,
Key: key
}
try {
await s3.headObject(params).promise();
console.log("File found");
try {
await s3.deleteObject(params).promise();
console.log("deleted successfully");
}
catch (error) {
console.log(error);
res.status(500).send(error.message);
}
}
catch (error) {
console.log(error);
res.status(500).send(error.message);
}
res.status(200).send("success");
}
catch (error) {
console.log(error);
res.status(500).send(error.message);
}
}