1. 首頁
  2. 問答
  3. 使用Cognito令牌訪問S3時獲取「AccessDenied」

使用Cognito令牌訪問S3時獲取「AccessDenied」

2017-05-10 50 views
1

我試圖在存儲桶上使用「listObjects」操作。這是通過WebService訪問的,我不想授予用戶控制檯訪問權限。使用Cognito令牌訪問S3時獲取「AccessDenied」

角色策略

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "mobileanalytics:PutEvents", 
       "cognito-sync:*", 
       "cognito-identity:*" 
      ], 
      "Resource": [ 
       "*" 
      ] 
     }, 
     { 
      "Action": [ 
       "s3:ListBucket" 
      ], 
      "Effect": "Allow", 
      "Resource": [ 
       "arn:aws:s3:::BucketName" 
      ], 
      "Condition": { 
       "StringLike": { 
        "s3:prefix": [ 
         "${cognito-identity.amazonaws.com:sub}/*" 
        ] 
       } 
      } 
     } 
    ] 
}

信任策略

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Principal": { 
     "Federated": "cognito-identity.amazonaws.com" 
     }, 
     "Action": "sts:AssumeRoleWithWebIdentity", 
     "Condition": { 
     "StringEquals": { 
      "cognito-identity.amazonaws.com:aud": "somevalue" 
     }, 
     "ForAnyValue:StringLike": { 
      "cognito-identity.amazonaws.com:amr": "authenticated" 
     } 
     } 
    } 
    ] 
}

如果我取代 「$ {} cognito-identity.amazonaws.com:sub」 與實際價值,那麼它的工作原理,否則它給AccessDenied錯誤。好像我缺少一些非常簡單的東西。請幫忙。

錯誤:

cfId:undefined 
code:"AccessDenied" 
extendedRequestId:undefined 
message:"Access Denied" 
region:null 
requestId:null 
retryDelay:14.650563118124381 
retryable:false 
statusCode:403 
time:Sun May 14 2017 23:11:57 GMT+0530 
name:"AccessDenied" 
stack:"AccessDenied: Access Denied↵ at constructor.extractError (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:24:11663)↵ at constructor.callListeners (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:27756)↵ at constructor.emit (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:27465)↵ at constructor.emitEvent (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:15469)↵ at constructor.e (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:11925)↵ at a.runTo (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:24:27302)↵ at http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:24:27509↵ at constructor.<anonymous> (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:12135)↵ at constructor.<anonymous> (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:15524)↵ at constructor.callListeners (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:27862)" 
__proto__:Object

來源

2017-05-10 Rohit Kumar

+0

這可能聽起來很愚蠢,但是,您可以將完整的錯誤信息複製到問題中嗎? –

回答

1

事實證明,這是從我身邊一個愚蠢的錯誤。 Sub始終採用以下格式: us-east-1:12345678-1234-1234-1234-123456790ab。

我從Cognito-idp複製SUB是錯誤的。這是錯誤的SUB。

SUB是我們從Cognito Identity池獲得的IdentityId。

感謝您的期待。

來源

2017-05-16 12:24:14

相關問題

 相關問題