logo标签列表

从Cognito组中假定IAM角色

c#amazon-web-servicesamazon-cognitoamazon-iam
4

是否可以假定与Cognito用户池相关的Cognito组的Cognito用户链接到IAM角色iam-role1?

我的配置:

Cognito用户池cognito-user-pool1:

  • Cognito用户cognito-user1属于cognito-group1
  • Cognito组cognito-group1已分配给iam-role1

Cognito身份池cognito-identity-pool1:

  • 身份验证提供商:cognito-user-pool1
  • 已验证的角色 = iam-role1

IAM:

  • IAM角色iam-role1具有访问S3只读的策略

此代码允许我对Cognito用户池进行身份验证:

AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient();
            CognitoUserPool userPool = new CognitoUserPool("user-pool-id", "client-id", provider);
            CognitoUser user = new CognitoUser("cognito-user1", "client-id", userPool, provider);
            InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest()
            {
                Password = "cognito-password1"
            };

            AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(authRequest);

接下来从链接到cognito用户池cognito-user-pool1的cognito身份池cognito-identity-pool1中获取凭据:

CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1); 
using (var client = new AmazonS3Client(credentials))
...
1个回答
5
当用户通过Cognito User Pool cognito-user-pool1进行验证时,id token包括cognito组和iam角色。
"cognito:groups": [
    "cognito-group1"
  ],
"cognito:roles": [
    "arn:aws:iam::xxx:role/iam-role1"
  ],

我们需要配置Cognito身份池,以便在用户验证时从令牌中选择角色: enter image description here 我们还需要通过编辑IAM角色iam-role1中的信任关系来允许Cognito身份池扮演此角色:
{
  "Version": "2012-10-17",
  "Statement": [
    ...
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity"
    }
  ]
}

enter image description here

你救了我的命!我找不到任何有关将Cognito组角色附加到已经登录的Cognito用户的文档或清晰示例。 - pnmn
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接