IAM策略变量无法识别 - $ {cognito-identity.amazonaws.com:sub}

问题描述 投票:0回答:1

我正在尝试创建一个解决方案,其中每个将使用我的服务的客户都将有一个sqs(在我的AWS账户中)。因此,为了使客户端能够从队列中发送消息和读取消息,我想将cognito与具有变量的单个角色一起使用,因为单个帐户可以拥有的角色数量有限制。我已经使用应用程序创建了cognito用户池,还创建了联合身份,角色,策略并将所有内容链接在一起。

政策是

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "sqs:DeleteMessage",
            "sqs:GetQueueUrl",
            "sqs:DeleteMessageBatch",
            "sqs:SendMessageBatch"
        ],
        "Resource": [
            "arn:aws:sqs:us-east-1:XXXX:test-${cognito-identity.amazonaws.com:sub}",
            "arn:aws:sqs:us-east-1:XXXX:test"
        ]
    }
]

}

测试客户端代码是

const cognitoUser = userPool.getCurrentUser();
cognitoUser.getSession((err, session) => {
  console.log(`session token: ${session.getIdToken().getJwtToken()}`);
  const paramsCredentials = {
    IdentityPoolId: 'XXXX',
    Logins: {}
  };

  AWS.config.region = 'XXXX';
  paramsCredentials.Logins[
    `cognito-idp.${AWS.config.region}.amazonaws.com/XXXX`
  ] = session.getIdToken().getJwtToken();

  AWS.config.credentials = new AWS.CognitoIdentityCredentials(
    paramsCredentials
  );

  AWS.config.credentials.get(err => {
    if (err) {
      console.log(`got error - getting credentials. error: ${err}`);
    }

    const id = AWS.config.credentials.identityId;
    console.log('Cognito Identity ID ' + id);

    const sqs = new AWS.SQS({
      region: AWS.config.region
    });
    const params = {
      QueueName: 'test-9ea2b895-2971-4ee2-b372-451bf2b19731'
    };
    sqs.getQueueUrl(params, (err, data) => {
      if (err) {
        console.log(`got error getting url for queue, error: ${err}`);
      } else {
        console.log(`SQS url = ${data.QueueUrl}`);
      }
    });
  });
});

我收到了一个错误

AWS.SimpleQueueService.NonExistentQueue:指定的队列不存在,或者您无权访问它。大段引用

但是当我将队列更改为测试队列时,一切正常。我已经仔细检查了sub,它是正确的id

我做错了什么?

amazon-web-services amazon-cognito amazon-sqs amazon-iam
1个回答
1
投票

${cognito-identity.amazonaws.com:sub} IAM策略变量将返回region:uuid您的队列名称将是test-us-east-1:9ea2b895-2971-4ee2-b372-451bf2b19731,这是一个无效的SQS队列名称(冒号不允许)。因此,无法限制对以该标识命名的队列的访问权限,但您可以创建仅限于应用程序的特定用户集的策略

以下是来自AWS的Understanding Amazon Cognito Authentication Part 3: Roles and Policies博客

  {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "sqs:DeleteMessage",
            "sqs:GetQueueUrl",
            "sqs:DeleteMessageBatch",
            "sqs:SendMessageBatch"
        ],
        "Resource": [
            "arn:aws:sqs:us-east-1:XXXX:test"
        ]
        "Condition": {
            "StringEquals": {
                "cognito-identity.amazonaws.com:sub": [
                        "us-east-1:12345678-1234-1234-1234-123456790ab"
                        ]
            }
        }
    }
]
}
© www.soinside.com 2019 - 2024. All rights reserved.