我目前正在使用USER-POOLS授权程序来获取我的API的前3个令牌:
从这里我想请求凭据能够SigV4请求我已经设置的API网关,但首先我需要获取所请求的凭据才能执行SigV4。
在文档中我发现了这个:
// Set the region where your identity pool exists (us-east-1, eu-west-1)
AWSCognito.config.region = 'us-east-1';
// Configure the credentials provider to use your identity pool
AWSCognito.config.credentials = new AWSCognito.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:009xxxx ...',
});
// Make the call to obtain credentials
AWSCognito.config.credentials.get(function(){
// Credentials will be available when this function is called.
var accessKeyId = AWSCognito.config.credentials.accessKeyId;
var secretAccessKey = AWSCognito.config.credentials.secretAccessKey;
var sessionToken = AWSCognito.config.credentials.sessionToken;
});
令我惊讶的是,回调被调用但是值为 - accessKeyId - secretAccessKey - sessionToken 都是空的。
我期待某种方法,我发送我的第一个idToken,并根据我获得凭据,但看起来这一切都在引擎盖下找到了?,无论如何它对我不起作用。< / p>
答案 0 :(得分:2)
经过一些研究,我意识到有一种无证的方法可以做到这一点。
您需要先构建此对象:
let url = 'cognito-idp.' + 'identity pool region' + '.amazonaws.com/' + 'your user pool id';
let logins = {};
logins[url] = idTokenJwt; // <- the one obtained before
let params = {
IdentityPoolId: 'the federated identity pool id',
Logins: logins
};
let creds = new AWS.CognitoIdentityCredentials(params);
AWS.config.region = 'us-east-1';
AWS.config.credentials = creds;
creds.get(function (err: any) {
if (!err) {
console.log("returned without error"); // <-- this gets called!!!
// and the values are correctly set!
var accessKeyId = AWS.config.credentials.accessKeyId;
var secretAccessKey = AWS.config.credentials.secretAccessKey;
var sessionToken = AWS.config.credentials.sessionToken;
}
else{
console.log("returned with error"); // <-- might get called if something is missing, anyways self-descriptive.
console.log(err);
}
});
在我的情况下,我仍然需要配置角色和身份池之间的信任关系,这里是示例:
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "your federated identity pool id"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
*您也可以替换&#34;经过身份验证的&#34;使用&#34;未经身份验证&#34;,&#34; graph.facebook.com&#34;,&#34; google ...&#34;,根据您的需要。