如何使用lambda-proxy和IAM授权程序

时间:2017-05-24 20:46:07

标签: aws-lambda aws-api-gateway amazon-cognito aws-cognito

我有一个认知用户池与一个认知身份池一起使用,可以为我的API网关中的端点提供细粒度的访问控制,这些端点都使用IAM授权程序。我的一些端点需要知道调用者的身份。我已经看到各种文档显示如何使用lambda集成(而不是lambda代理)获取声明,以及如果您直接使用cognito用户池授权程序如何获取声明。 lambda集成的配置开销使我远离这一点,并且用户池授权程序不提供使用组和cognito身份获得的细粒度访问控制,以使用户承担具有正确API网关端点权限的IAM角色

我在这里缺少什么?如何使用用户池+身份+ IAM授权程序组合获取有关主叫用户的信息?我的事件对象看起来像这样(大量删除任何有潜在危险的信息,但你可以看到我有哪些字段):

{
    "resource": "/{accountName}/user/{email}",
    "path": "/testAccount/user/ommitted",
    "httpMethod": "GET",
    "headers": {
        "Accept": "application/json",
        "Accept-Encoding": "gzip, deflate, sdch, br",
        "Accept-Language": "en-US,en;q=0.8",
        "CloudFront-Forwarded-Proto": "https",
        "CloudFront-Is-Desktop-Viewer": "true",
        "CloudFront-Is-Mobile-Viewer": "false",
        "CloudFront-Is-SmartTV-Viewer": "false",
        "CloudFront-Is-Tablet-Viewer": "false",
        "CloudFront-Viewer-Country": "US",
        "Host": "ommitted",
        "origin": "http://127.0.0.1:4200",
        "Referer": "http://127.0.0.1:4200/",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.96 Chrome/58.0.3029.96 Safari/537.36",
        "Via": "ommitted",
        "X-Amz-Cf-Id": "ommitted",
        "X-AMZ-Date": "20170524T135448Z",
        "x-amz-security-token": "ommitted",
        "X-Amzn-Trace-Id": "ommitted",
        "X-Forwarded-For": "ommitted",
        "X-Forwarded-Port": "443",
        "X-Forwarded-Proto": "https"
    },
    "queryStringParameters": null,
    "pathParameters": {
        "accountName": "testAccount",
        "email": "ommitted"
    },
    "stageVariables": null,
    "requestContext": {
        "path": "/dev/testAccount/user/ommitted",
        "accountId": "ommitted",
        "resourceId": "ommitted",
        "stage": "dev",
        "requestId": "8df123f6-4088-11e7-b078-8775511f5c09",
        "identity": {
            "cognitoIdentityPoolId": "us-east-2:ommitted",
            "accountId": "ommitted",
            "cognitoIdentityId": "us-east-2:ommitted",
            "caller": "ommitted:CognitoIdentityCredentials",
            "apiKey": "",
            "sourceIp": "ommitted",
            "accessKey": "ommitted",
            "cognitoAuthenticationType": "authenticated",
            "cognitoAuthenticationProvider": "cognito-idp.us-east-2.amazonaws.com/ommitted,cognito-idp.us-east-2.amazonaws.com/ommitted:CognitoSignIn:ommitted",
            "userArn": "arn:aws:sts::ommitted:assumed-role/Cognito_idp_identitypoolAuth_Role/CognitoIdentityCredentials",
            "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.96 Chrome/58.0.3029.96 Safari/537.36",
            "user": "ommitted:CognitoIdentityCredentials"
        },
        "resourcePath": "/{accountName}/user/{email}",
        "httpMethod": "GET",
        "apiId": "{
        "resource": "/{accountName}/user/{email}",
        "path": "/testAccount/user/ommitted",
        "httpMethod": "GET",
        "headers": {
            "Accept": "application/json",
            "Accept-Encoding": "gzip, deflate, sdch, br",
            "Accept-Language": "en-US,en;q=0.8",
            "CloudFront-Forwarded-Proto": "https",
            "CloudFront-Is-Desktop-Viewer": "true",
            "CloudFront-Is-Mobile-Viewer": "false",
            "CloudFront-Is-SmartTV-Viewer": "false",
            "CloudFront-Is-Tablet-Viewer": "false",
            "CloudFront-Viewer-Country": "US",
            "Host": "ommitted",
            "origin": "http://127.0.0.1:4200",
            "Referer": "http://127.0.0.1:4200/",
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.96 Chrome/58.0.3029.96 Safari/537.36",
            "Via": "ommitted",
            "X-Amz-Cf-Id": "ommitted",
            "X-AMZ-Date": "20170524T135448Z",
            "x-amz-security-token": "ommitted",
            "X-Amzn-Trace-Id": "ommitted",
            "X-Forwarded-For": "ommitted",
            "X-Forwarded-Port": "443",
            "X-Forwarded-Proto": "https"
        },
        "queryStringParameters": null,
        "pathParameters": {
            "accountName": "testAccount",
            "email": "ommitted"
        },
        "stageVariables": null,
        "requestContext": {
            "path": "/dev/testAccount/user/ommitted",
            "accountId": "ommitted",
            "resourceId": "ommitted",
            "stage": "dev",
            "requestId": "8df123f6-4088-11e7-b078-8775511f5c09",
            "identity": {
                "cognitoIdentityPoolId": "us-east-2:ommitted",
                "accountId": "ommitted",
                "cognitoIdentityId": "us-east-2:ommitted",
                "caller": "ommitted:CognitoIdentityCredentials",
                "apiKey": "",
                "sourceIp": "ommitted",
                "accessKey": "ommitted",
                "cognitoAuthenticationType": "authenticated",
                "cognitoAuthenticationProvider": "cognito-idp.us-east-2.amazonaws.com/ommitted,cognito-idp.us-east-2.amazonaws.com/ommitted:CognitoSignIn:ommitted",
                "userArn": "arn:aws:sts::ommitted:assumed-role/Cognito_idp_identitypoolAuth_Role/CognitoIdentityCredentials",
                "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.96 Chrome/58.0.3029.96 Safari/537.36",
                "user": "ommitted:CognitoIdentityCredentials"
            },
            "resourcePath": "/{accountName}/user/{email}",
            "httpMethod": "GET",
            "apiId": "ommitted"
        },
        "body": null,
        "isBase64Encoded": false
    }
    "
},
"body": null,
"isBase64Encoded": false
}

0 个答案:

没有答案
相关问题
最新问题