我的用户拥有Cognito账号。
根据这篇文章的说法,我们可以使用以下策略限制对DynamoDB API的访问:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb: <REGION>:<AWS_ACCOUNT_ID>:table/<TABLE>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
如果索引键是email
(并且主排序键是utc
),那么对于我的情况来说,看起来非常简单,因此我将上面的示例调整为以下内容:
{
"Effect": "Allow",
"Action": "dynamodb:UpdateItem",
"Resource": "arn:aws:dynamodb:us-east-1:123456789123:table/history",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:email}"
],
"dynamodb:Attributes": [
"email",
"utc",
"updated",
"isNew"
]
}
}
但是我一直收到错误信息 AccessDeniedException: User: arn:aws:sts :: 9876543210:assumed-role / policyname / CognitoIdentityCredentials未被授权执行:dynamodb:UpdateItem对资源:arn:aws:dynamodb:us-east-1:123456789123:table / history
。
我尝试使用*
权限进行js http调用,并且它能够正常工作,因此问题只存在于该策略中。