cognito - 禁止访问身份

时间:2014-11-27 08:04:27

标签: ios amazon-web-services amazon-s3 amazon-cognito amazon-mobile-analytics

我试图通过Facebook登录后了解亚马逊认知和尝试S3文件夹的列表内容。 脸书登录工作正常。当我点击测试按钮(cmdTestS3Tapped)时,它会抛出以下错误。

我将amaClzon提供的AmazonClientManager.h,AmazonClientManager.m和Constants.h包含在项目中。 常数以belllow的形式给出。任何人都可以帮我解决这个问题。

#define AWSAccountID @"MyAccountID"
#define CognitoPoolID @"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
#define CognitoRoleAuth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole"
#define CognitoRoleUnauth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole"

这是角色--Cognito_iOSTestPoolAuth_DefaultRole

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "mobileanalytics:PutEvents",
            "cognito-sync:*"
        ],
        "Effect": "Allow",
        "Resource": [
            "*"
        ],
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    }]
}

这是信托关系

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "unauthenticated"
        }
      }
    }
  ]
}

以下是我正在使用的代码

- (IBAction)cmdLoginWithFB:(id)sender {
    [[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:YES];
    [self disableUI];
    [[AmazonClientManager sharedInstance] loginFromView:self.view withCompletionHandler:^(NSError *error) {
        dispatch_async(dispatch_get_main_queue(), ^{
            [self refreshUI];
        });
    }];
}

-(void)refreshUI {
    [[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:NO];
    //self.browseDataButton.enabled = YES;
    self.cmdLoginWithFB.enabled = YES;
    if ([[AmazonClientManager sharedInstance] isLoggedIn]) {
        self.cmdLoginWithFB.titleLabel.text = @"Link";
        NSLog(@"-----------LOGED IN -------------->");
    }
    else {
        self.cmdLoginWithFB.titleLabel.text = @"Login";
        NSLog(@"-----------NOT LOGED IN -------------->");
    }
    self.cmdLogoutWipe.enabled = [[AmazonClientManager sharedInstance] isLoggedIn];
}


- (IBAction)cmdTestS3Tapped:(id)sender {
    if ([[AmazonClientManager sharedInstance] isLoggedIn]) {
        NSLog(@"-----------LOGED IN -------------->");
        [self testListBucket];
    }
    else {
        NSLog(@"-----------NOT LOGED IN -------------->");
    }
}


- (void)testListBucket {
    AWSS3GetObjectRequest *getObjectRequest = [[AWSS3GetObjectRequest alloc] init];
    getObjectRequest.key = @"image1.jpg";
    getObjectRequest.bucket = @"multix-test";

    NSLog(@"============================================>");

    //default service has been configured previously
    //AWSS3 *s3 = [[AWSS3 new] initWithConfiguration:[AWSServiceManager defaultServiceManager].defaultServiceConfiguration];

     AWSS3 *s3 = [AWSS3 defaultS3];


    [[s3 getObject:getObjectRequest] continueWithBlock:^id(BFTask *task) {
        if(task.error)
        {
            NSLog(@"Error: %@",task.error);
        }
        else
        {
            NSLog(@"Got File");
            NSData *data = [task.result body];
            NSString *urlString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
            NSURL *url = [[NSURL alloc] initWithString:urlString];
            if ([[UIApplication sharedApplication] canOpenURL:url]) {
                [[UIApplication sharedApplication] openURL:url];
            }
        }
        return nil;
    }];
    NSLog(@"============================================>");
}

错误

2014-11-26 20:58:24.048 FBLoginTest[2647:83767] initializing clients...
2014-11-26 20:58:24.055 FBLoginTest[2647:83767] -----------LOGED IN -------------->
2014-11-26 20:58:33.542 FBLoginTest[2647:83767] -----------LOGED IN -------------->
2014-11-26 20:58:33.542 FBLoginTest[2647:83767] ============================================>
2014-11-26 20:58:33.551 FBLoginTest[2647:83767] ============================================>
2014-11-26 20:58:33.554 FBLoginTest[2647:88515] AWSiOSSDKv2 [Verbose] AWSURLRequestSerialization.m line:110 | -[AWSJSONRequestSerializer serializeRequest:headers:parameters:] | Request body: [{"IdentityId":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}]
2014-11-26 20:58:34.870 FBLoginTest[2647:88605] AWSiOSSDKv2 [Debug] AWSURLResponseSerialization.m line:85 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response header: [{
    "Content-Length" = 129;
    "Content-Type" = "application/x-amz-json-1.1";
    Date = "Wed, 26 Nov 2014 16:58:34 GMT";
    nnCoection = close;
    "x-amzn-RequestId" = "7558584c-758d-11e4-a92d-11020f90ea0e";
}]
2014-11-26 20:58:34.871 FBLoginTest[2647:88605] AWSiOSSDKv2 [Verbose] AWSURLResponseSerialization.m line:90 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body: [{"__type":"NotAuthorizedException","message":"Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden."}]
2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSIdentityProvider.m line:212 | __42-[AWSBasicCognitoIdentityProvider refresh]_block_invoke_2 | GetOpenIdToken failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}]
2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSCredentialsProvider.m line:433 | __40-[AWSCognitoCredentialsProvider refresh]_block_invoke293 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}]
2014-11-26 20:58:34.873 FBLoginTest[2647:88605] Error: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}

3 个答案:

答案 0 :(得分:3)

我认为信任关系不正确。它应该是

 "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }

因为您的用户已通过Facebook验证。您提供的信任关系适用于未经身份验证的用户。

有关Cognito,角色和信任关系的更多详细信息,请参阅Bob的三部分博客

第1部分:http://mobile.awsblog.com/post/Tx2UQN4KWI6GDJL/Understanding-Amazon-Cognito-Authentication

第2部分:http://mobile.awsblog.com/post/Tx2FL1QAPDE0UAH/Understanding-Amazon-Cognito-Authentication-Part-2-Developer-Authenticated-Ident

第3部分:http://mobile.awsblog.com/post/Tx1OSMBRHZVM9V0/Understanding-Amazon-Cognito-Authentication-Part-3-Roles-and-Policies

答案 1 :(得分:3)

错误'禁止访问身份'通常是由于无法在凭据提供程序中包含来自登录提供程序(FB)的令牌。

您没有包含处理FB登录的代码,但我会确保您在AWSCognitoCredentials提供程序上正确设置令牌并将该提供程序设置为默认值。

Sebastien's answer仍然很重要,因为如果您使用不正确的角色,以后可能会遇到STS错误。

答案 2 :(得分:1)

谢谢Bob&的Sebastien,

问题是。我忘记在viewdidload中加入以下代码

[[AmazonClientManager sharedInstance] resumeSessionWithCompletionHandler:^(NSError *error) {
    dispatch_async(dispatch_get_main_queue(), ^{
        [self refreshUI];
    });
}];