我正在使用带有aws-amplify(https://aws.github.io/aws-amplify/media/authentication_guide#enabling-federated-identities)的联合身份池,并且我想将域的范围限制为我的Google域组织(例如johndoe@foobar.com)。 / p>
似乎没有办法将其锁定在Google API控制台或AWS Cognito身份池设置上,只是暗示可以将hd参数附加到google请求中以按域进行限制(这仍然需要修改aws-amplify核心程序包),而且仍然不安全,因为任何人都可以在没有hd的情况下发出相同的请求并获得对cognito的访问权限。
我的问题是这样:有没有办法限制google oauth密钥只允许@ foobar.com电子邮件地址,或者对aws cognito实施相同的限制?
答案 0 :(得分:2)
我相信我找到了一个解决方案(通过一些快速测试,看来效果很好)
不要尝试通过信任关系来控制托管域部分 在角色中。
转到:认知/编辑身份池/身份验证提供程序
选择Google +
在“经过身份验证的角色选择”中,选择“使用规则选择角色”
现在要求声明“ hd”等于“
<your-domain>
”将“角色解析”设置为“拒绝”
来源:https://forums.aws.amazon.com/thread.jspa?messageID=527303
这里是一个cloudformation堆栈,可一次性设置所有内容(身份池,角色等)。 您需要在标有EDIT HERE:
注释的所有地方进行必要的调整。
AWSTemplateFormatVersion : 2010-09-09
Description : "An Identity Pool stack which uses Google for sign-in"
Resources:
IdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: identity_pool_a
AllowUnauthenticatedIdentities: false
SupportedLoginProviders:
# EDIT HERE:
"accounts.google.com": "11111111111-22222222222222222222222222222222.apps.googleusercontent.com"
IdentityForbiddenRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 3600
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: None
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Action: "*"
Resource: "*"
IdentityAllowedRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 3600
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: UserPermissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
# EDIT HERE:
Action: "s3:GetObject"
# EDIT HERE:
Resource: "arn:aws:s3:::my-bucket/*"
RoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
unauthenticated: !GetAtt IdentityForbiddenRole.Arn
authenticated: !GetAtt IdentityForbiddenRole.Arn
RoleMappings:
accounts.google.com:
AmbiguousRoleResolution: Deny
Type: Rules
RulesConfiguration:
Rules:
- Claim: hd
MatchType: Equals
# EDIT HERE:
Value: mydomain.com
RoleARN: !GetAtt IdentityAllowedRole.Arn