我正在尝试使用AWS IAM为移动应用生成临时令牌。我正在使用AWS C#SDK。
这是我的代码......
令牌生成服务
public string GetIAMKey(string deviceId)
{
//fetch IAM key...
var credentials = new BasicAWSCredentials("MyKey", "MyAccessId");
var sts = new AmazonSecurityTokenServiceClient(credentials);
var tokenRequest = new GetFederationTokenRequest();
tokenRequest.Name = deviceId;
tokenRequest.Policy = File.ReadAllText(HostingEnvironment.MapPath("~/policy.txt"));
tokenRequest.DurationSeconds = 129600;
var tokenResult = sts.GetFederationToken(tokenRequest);
var details = new IAMDetails { SessionToken = tokenResult.GetFederationTokenResult.Credentials.SessionToken, AccessKeyId = tokenResult.GetFederationTokenResult.Credentials.AccessKeyId, SecretAccessKey = tokenResult.GetFederationTokenResult.Credentials.SecretAccessKey, };
return JsonConvert.SerializeObject(details);
}
客户
var iamkey = Storage.LoadPersistent<IAMDetails>("iamkey");
var simpleDBClient = new AmazonSimpleDBClient(iamkey.AccessKeyId, iamkey.SecretAccessKey, iamkey.SessionToken);
try
{
var details = await simpleDBClient.SelectAsync(new SelectRequest { SelectExpression = "select * from mydomain" });
return null;
}
catch (Exception ex)
{
Storage.ClearPersistent("iamkey");
}
政策文件内容
{“Statement”:[{“Effect”:“Allow”,“Action”:“sdb:*”,“Resource”:“arn:aws:sdb:eu-west-1:*:domain / mydomain *“}]}
我一直收到以下错误......
用户(arn:aws:sts :: myaccountid:federated-user / 654321)无权在资源上执行(sdb:Select)(arn:aws:sdb:us-east-1:myaccountid:domain / MYDOMAIN)
请注意,我的政策文件明确指出了两件事
但抛出的异常声称我的用户无权 us-east-1
关于我为什么会收到此错误的任何想法?
答案 0 :(得分:1)
好的想出来了。
您必须在从客户端调用服务时设置区域端点。
所以
var simpleDBClient = new AmazonSimpleDBClient(iamkey.AccessKeyId, iamkey.SecretAccessKey, iamkey.SessionToken, Amazon.RegionEndpoint.EUWest1);