Question

我正在使用带有aws-amplify（https://aws.github.io/aws-amplify/media/authentication_guide#enabling-federated-identities）的联合身份池，并且我想将域的范围限制为我的Google域组织（例如johndoe@foobar.com）。 / p>

似乎没有办法将其锁定在Google API控制台或AWS Cognito身份池设置上，只是暗示可以将hd参数附加到google请求中以按域进行限制（这仍然需要修改aws-amplify核心程序包），而且仍然不安全，因为任何人都可以在没有hd的情况下发出相同的请求并获得对cognito的访问权限。

我的问题是这样：有没有办法限制google oauth密钥只允许@ foobar.com电子邮件地址，或者对aws cognito实施相同的限制？

Answer 1

我相信我找到了一个解决方案（通过一些快速测试，看来效果很好）

不要尝试通过信任关系来控制托管域部分   在角色中。



转到：认知/编辑身份池/身份验证提供程序



选择Google +



在“经过身份验证的角色选择”中，选择“使用规则选择角色”



现在要求声明“ hd”等于“ <your-domain>”



将“角色解析”设置为“拒绝”

来源：https://forums.aws.amazon.com/thread.jspa?messageID=527303

这里是一个cloudformation堆栈，可一次性设置所有内容（身份池，角色等）。 您需要在标有EDIT HERE:注释的所有地方进行必要的调整。

AWSTemplateFormatVersion : 2010-09-09
Description : "An Identity Pool stack which uses Google for sign-in"


Resources:
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: identity_pool_a
      AllowUnauthenticatedIdentities: false
      SupportedLoginProviders: 
        # EDIT HERE:
        "accounts.google.com": "11111111111-22222222222222222222222222222222.apps.googleusercontent.com"

  IdentityForbiddenRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow 
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": unauthenticated
      Policies:
        - PolicyName: None
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Deny
                Action: "*"
                Resource: "*"

  IdentityAllowedRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: UserPermissions
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                # EDIT HERE:
                Action: "s3:GetObject"
                # EDIT HERE:
                Resource: "arn:aws:s3:::my-bucket/*"

  RoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles: 
        unauthenticated: !GetAtt IdentityForbiddenRole.Arn
        authenticated: !GetAtt IdentityForbiddenRole.Arn
      RoleMappings: 
        accounts.google.com:
          AmbiguousRoleResolution: Deny
          Type: Rules
          RulesConfiguration:
            Rules:
              - Claim: hd
                MatchType: Equals
                # EDIT HERE:
                Value: mydomain.com
                RoleARN: !GetAtt IdentityAllowedRole.Arn

限制登录到适用于AWS Federated Identity Pool的Enterprise Google Domain

1 个答案: