AWS:将Cognito授权用户限制为特定的Lambda函数

时间:2018-01-31 10:53:48

标签: amazon-web-services aws-lambda aws-api-gateway aws-cognito

我正在与AWS合作,并且我进行了以下设置:UserPool; API网关,Lambda函数

api网关使用UserPool授权程序来保护lambda函数。到目前为止这是有效的。现在我想将每个lambda函数限制为特定的一组用户。因此,我在CognitoPool(useradmin)中创建了两个用户组,并且我已经为每个组分配了一个具有策略的特定角色。之后我在UserPool中创建了一个用户并将他添加到user组。该用户仍然可以向每个路由/ lambda函数提交请求。

如何提交请求?

  • 邮差
  • IdToken标题
    • 中设置Authorization(经过身份验证的用户)
  • 没有Authorization标题,响应是401(正如预期的那样)
  • Authorization标头可以触发每个lambda函数(不是预期的)

UserPool组的配置:

  • 群组用户:

    • Arn:Role ARN: arn:aws:iam::xxxxxx:role/User

    • UserRole指定为

      {
  "Version": "2012-10-17",
  "Statement": [
    "Action": [
      "lambda:InvokeFunction",
      "lambda:InvokeAsync"
    ],
   "Resource": [
     "arn:aws:lambda:region:xxxxxx:function:api-dev-getItems
    ],
    "Effect": "Allow"
  ]
}

  • 集团管理员:

    • Arn:Role ARN: arn:aws:iam::xxxxxx:role/Admin

    • AdminRole指定为

      {
  "Version": "2012-10-17",
  "Statement": [
      "Action": [
      "lambda:InvokeFunction",
      "lambda:InvokeAsync"
    ],
    "Resource": [
       "arn:aws:lambda:region:xxxxxx:function:api-dev-getItems
       "arn:aws:lambda:region:xxxxxx:function:api-dev-getUsers
    ],
    "Effect": "Allow"
  ]
}

id令牌的有效负载还包含: 'cognito:roles': [ 'arn:aws:iam::xxxxxx:role/User' ]

1 个答案:

答案 0 :(得分:3)

所以我找到了解决问题的方法。以下是我的经历总结:

  • Cognito Authorizer更像是/否授权者(已验证或未经过验证;用户组未评估)
  • 因此,我选择了API网关中的AWS IAM Authorizer,它将评估用户组角色
  • 而不是JWT,必须传递AWS签名v4授权(邮递员和npm上有几个包的插件)
  • 由于我使用的是API网关,因此我必须将角色策略资源更改为execute-api:Invoke

详细说明:

的UserRole:

{
  "Version": "2012-10-17",
  "Statement": [
    "Action": [
      "lambda:InvokeFunction",
      "lambda:InvokeAsync"
    ],
   "Resource": [
     "arn:aws:execute-api:region:accountid:api-id/stage/GET/items
    ],
    "Effect": "Allow"
  ]
}

AdminRole:

{
  "Version": "2012-10-17",
  "Statement": [
    "Action": [
      "lambda:InvokeFunction",
      "lambda:InvokeAsync"
    ],
   "Resource": [
     "arn:aws:execute-api:region:accountid:api-id/stage/GET/items
     "arn:aws:execute-api:region:accountid:api-id/stage/*/users
    ],
    "Effect": "Allow"
  ]
}

我不得不将ID令牌传递到Authorization标头,而是使用Postman AWS Signature,它至少需要AccessKeySecretKey。当我使用aws-sdk登录我的用户时,可以检索这两个。以TypeScript为例的aws-sdk-js:

import { CognitoUserPool, CognitoUser, AuthenticationDetails } from 'amazon-cognito-identity-js';

const userPool = new CognitoUserPool({
  UserPoolId: 'my pool id',
  ClientId: 'my client id'
});

function signIn(username: string, password: string) {
  const authData = {
    Username: username,
    Password: password,
  };

  const authDetails = new AuthenticationDetails(authData);
  const userData = {
    Username: username,
    Pool: userPool,
  };

  const cognitoUser = new CognitoUser(userData);
  cognitoUser.authenticateUser(authDetails, {
    onSuccess: (result) => {
      const cognitoIdpKey = `cognito-idp.${region}.amazonaws.com/${userPool.getUserPoolId()}`;

      const credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: 'identity pool id,
        Logins: {
          [cognitoIdpKey]: result.getIdToken().getJwtToken(),
        }
      });
      AWS.config.update({
        credentials,
      });

      credentials.refreshPromise()
        .then(() => {
          console.log('Success refresh. Required data:', (credentials as any).data.Credentials);
        })
        .catch(err => console.error('credentials refresh', err));
    }
  });
}
相关问题
最新问题