请求中包含的安全令牌无效。 aws js sdk

时间:2015-10-05 20:04:17

标签: javascript amazon-web-services amazon-dynamodb amazon-cognito

我发布了here on the AWS forum

我使用aws-js-sdk v2.2.3和以下代码。我通过填充Credentials获取数据。当我尝试使用凭据时,我得到的错误是它们无效。我使用了开发人员身份验证身份流程。我有两个角色Auth& UNAUTH。我的身份池看起来很正确。信任关系看起来像是指向正确的标识池ID。 S3&的Auth角色附有政策。 DynamoDB。我不知所措。任何帮助,将不胜感激。

javascript客户端:

var cognitoidentity = new AWS.CognitoIdentity({region: 'us-east-1'});
    var params = {
      IdentityId: user.cognito_id,
      Logins: {
    'cognito-identity.amazonaws.com': user.cognito_token
      }
    };
    cognitoidentity.getCredentialsForIdentity(params, function(err, data) {
      if (err) console.log(err, err.stack); // an error occurred
      else console.log(data.Credentials);
    });

我在控制台上登录了Id& SecretKey和他们被填写。

var aws_creds = StateService.get('user').aws_creds;
console.log(aws_creds.AccessKeyId);
console.log(aws_creds.SecretKey);
AWS.config.update({ accessKeyId: aws_creds.AccessKeyId,
            secretAccessKey: aws_creds.SecretKey,
            endpoint: ENV.aws_dyndb_endpoint,
            region: 'us-east-1'
            });
var dynamodb = new AWS.DynamoDB();


console.log("user obj: ", StateService.get('user'));
var params = {
    TableName: games_table_name,
    KeyConditionExpression: "Id = :v1",
    ExpressionAttributeValues: {
      ":v1": {"N": id}
    }
};

return dynamodb.query(params);

我的解决方案
我想到的是显式刷新凭据,而不是在我创建DynamoDb对象时懒得。这是我使用的功能,它返回一个承诺&刷新凭据时解析。

refresh: function() {
    var deferred = $q.defer();
    AWS.config.region = 'us-east-1'; 
    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
      IdentityPoolId: COGNITO_IDENTITY_POOL_ID, 
      IdentityId: COGNITO_ID, 
      Logins: 'cognito-identity.amazonaws.com'
    });

    AWS.config.credentials.refresh(function(error) {
      if ((error === undefined) || (error === null)) {
        $log.debug("Credentials Refreshed Success: ", AWS.config.credentials);
        var params = {
          region: 'us-east-1',
          apiVersion: '2012-08-10',
          credentials: AWS.config.credentials
        };

        $rootScope.dynamodb = new AWS.DynamoDB({params: params});
        deferred.resolve();
      }
      else {
        $log.debug("Error refreshing AWS Creds:, ", error);
        deferred.reject(error);
      }
    });

    return deferred.promise;
}

2 个答案:

答案 0 :(得分:2)

如果要使用Cognito凭据调用其他AWS服务,我建议您使用Javascript SDK中的高级AWS.CognitoIdentityCredentials对象,而不是直接调用服务API。

您可以在Cognito开发人员指南中找到有关如何初始化和使用AWS.CognitoIdentityCredentials的更多信息: Developer Authenticated Identities

阿尔伯特

答案 1 :(得分:1)

流程如下:您向CognitoIdentityCredentials询问IdentityId,IDentityId应该跟踪设备和整个身份提供商(Facebook,Google,TWitter等)的用户如果您使用该ID,则要求在您的支柱CognitoIdentity上附加一个角色,在您获得该代币后,您会向STS.assumeRoleWithWebIdentity询问是否附有适当角色的临时凭证。

这是我如何做到的一个例子:

// set the Amazon Cognito region
AWS.config.region = 'us-east-1';

// initialize the Credentials object with our parameters
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-east-1:YMIDENTITYPOLEID',
});

// We can set the get method of the Credentials object to retrieve
// the unique identifier for the end user (identityId) once the provider
// has refreshed itself
AWS.config.credentials.get(function(err) {
    if (err) {
        console.log("Error: "+err);
        return;
    }
    console.log("Cognito Identity Id: " + AWS.config.credentials.identityId);

        params = {
            IdentityId: AWS.config.credentials.identityId
        }

    // Other service clients will automatically use the Cognito Credentials provider
    // configured in the JavaScript SDK.

        // Get the Role associated with the id coming from the pool
        var cognitoidentity = new AWS.CognitoIdentity();

        cognitoidentity.getOpenIdToken(params, function(err, data) {
            if (err){
                console.log(err, err.stack); // an error occurred
            }else{
                        // Get temporoarly credientials form STS to access the API
                        var params = {
                            RoleArn: 'ROLE_OF_YOUR_POLE_ARN', /* required */
                            RoleSessionName: 'WHATEVERNAME', /* required */
                            WebIdentityToken: data.Token, /* required */
                        };

                        var sts = new AWS.STS()

                        console.log(data);           // successful response
                        console.log(data.Token)

                        sts.assumeRoleWithWebIdentity(params, function(err, data) {
                                if (err){
                                        console.log(err, err.stack); // an error occurred
                                }else{
                                        console.log(data);           // successful response
                                        // Now we need these credentials that we got for this app and for this user
                                        // From here we can limit the damage by
                                        // Burst calling to the API Gateway will be limited since we now that this is a single user on a single device
                                        // If suspicious activities we can drop this user/device
                                        // The privileges are limited since the role attached to this is only the API GateWay calling
                                        // This creds are temporary they will expire in 1h

                                        var apigClient = apigClientFactory.newClient({
                                            accessKey: data.Credentials.AccessKeyId,
                                            secretKey: data.Credentials.SecretAccessKey,
                                            sessionToken: data.Credentials.Token, //OPTIONAL: If you are using temporary credentials you must include the session token
                                            region: AWS.config.region // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
                                        });

                                        // Call the get to test
                                        apigClient.deviceGet({}, {})
                                    .then(function(result){
                                        //This is where you would put a success callback
                                                console.log(result)
                                    }).catch( function(result){
                                        //This is where you would put an error callback
                                    });

                                }
                        });
            }
        });

});

注意:这是一个访问API网关服务的测试,但访问其他服务没有什么不同,这取决于您配置它的极点及其附加服务。

如果您拥有在IAM中创建的用户的凭据,则不需要临时令牌,但如果您使用此流,则必须包含该凭据。

另一点,限制访问你的杆子上的服务,请记住,这是一个公开给定的密钥,每个人都可以使用它来访问你的东西。

使用STS.assumeRoleWithWebIdentity是因为我们在Web上,在AWS JS SDK中,如果您使用iOS或android / java或Boto,则必须使用STS.assumeRole。

希望这有帮助。