如何使用UserPools idToken获取AWS凭据?

时间:2017-08-09 18:35:02

标签: amazon-web-services aws-sdk amazon-cognito aws-cognito

我目前正在使用USER-POOLS授权程序来获取我的API的前3个令牌:

  • idToken
  • refreshToken
  • 的accessToken

从这里我想请求凭据能够SigV4请求我已经设置的API网关,但首先我需要获取所请求的凭据才能执行SigV4。

在文档中我发现了这个:

// Set the region where your identity pool exists (us-east-1, eu-west-1)
AWSCognito.config.region = 'us-east-1';

// Configure the credentials provider to use your identity pool
AWSCognito.config.credentials = new AWSCognito.CognitoIdentityCredentials({
  IdentityPoolId: 'us-east-1:009xxxx ...',
});

// Make the call to obtain credentials
AWSCognito.config.credentials.get(function(){

  // Credentials will be available when this function is called.
  var accessKeyId = AWSCognito.config.credentials.accessKeyId;
  var secretAccessKey = AWSCognito.config.credentials.secretAccessKey;
  var sessionToken = AWSCognito.config.credentials.sessionToken;

});

令我惊讶的是,回调被调用但是值为 - accessKeyId - secretAccessKey - sessionToken 都是空的。

我期待某种方法,我发送我的第一个idToken,并根据我获得凭据,但看起来这一切都在引擎盖下找到了?,无论如何它对我不起作用。< / p>

1 个答案:

答案 0 :(得分:2)

经过一些研究,我意识到有一种无证的方法可以做到这一点。

您需要先构建此对象:

let url = 'cognito-idp.' + 'identity pool region' + '.amazonaws.com/' + 'your user pool id';
let logins = {};

logins[url] = idTokenJwt; // <- the one obtained before

let params = {
   IdentityPoolId: 'the federated identity pool id', 
   Logins: logins
};

let creds = new AWS.CognitoIdentityCredentials(params);


AWS.config.region = 'us-east-1';
AWS.config.credentials = creds;

creds.get(function (err: any) {
  if (!err) {
    console.log("returned without error"); // <-- this gets called!!!

    // and the values are correctly set!
    var accessKeyId = AWS.config.credentials.accessKeyId;
    var secretAccessKey = AWS.config.credentials.secretAccessKey;
    var sessionToken = AWS.config.credentials.sessionToken;

  }
  else{
    console.log("returned with error"); // <-- might get called if something is missing, anyways self-descriptive. 
    console.log(err);
  }
});

在我的情况下,我仍然需要配置角色和身份池之间的信任关系,这里是示例:

{
  "Sid": "",
  "Effect": "Allow",
  "Principal": {
    "Federated": "cognito-identity.amazonaws.com"
  },
  "Action": "sts:AssumeRoleWithWebIdentity",
  "Condition": {
    "StringEquals": {
      "cognito-identity.amazonaws.com:aud": "your federated identity pool id"
    },
    "ForAnyValue:StringLike": {
      "cognito-identity.amazonaws.com:amr": "authenticated"
    }
  }
}

*您也可以替换&#34;经过身份验证的&#34;使用&#34;未经身份验证&#34;,&#34; graph.facebook.com&#34;,&#34; google ...&#34;,根据您的需要。