我一直试图获取一个可通过Salesforce进行身份验证的Cognito身份池,以创建临时凭证,以允许我的JavaScript应用程序执行api网关路由。
我已经到了可以通过salesforce成功登录用户,获取秘密密钥,会话令牌,由cognito身份池生成的访问密钥的地步,但是当我去通过api网关进行执行调用时,它总是会失败,并显示以下错误:
{
"Message":
"User: anonymous is not authorized to perform: execute-
api:Invoke on resource: arn:aws:execute-api:us-east-
1:********2162:xz33s93f9s/test/GET/helloworld"
}
我相信问题出在我添加到API网关的策略设置中:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::********2162:role/salesforce_login"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:********2162:xz33s93f9s/test/*"
}
]
}
我最近的尝试是使Principal相等角色得知用户也已通过身份验证。但我也曾尝试使它等于以下值,但没有成功:
"Principal": {
"Federated": "login.salesforce.com"
}
如果我将政策更改为:
"Principal": {
"AWS": "*"
}
http请求成功执行。因此,我猜测我的身份验证有误,或者我的政策有误。
这是经过身份验证的用户的我的角色:
角色/ salesforce_login
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "apigateway:*",
"Resource": "arn:aws:apigateway:*::*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sts:*",
"cognito-sync:*"
],
"Resource": "*"
}
]
}
如果我的政策不是问题,那么也许我没有正确发出http请求,这是我的代码:
var params = {
'IdentityPoolId': pool_id,
'Logins': logins,
'RoleArn': ' "AWS": "arn:aws:iam::********2162:role/salesforce_login"'
};
// Amazon Cognito region
AWS.config.region = 'us-east-1';
// Initialize CognitoIdentityCredentials
AWS.config.credentials = new AWS.CognitoIdentityCredentials(params);
console.log("Completed Setup")
// Cognito credentials
AWS.config.credentials.get(function (err) {
if (err) { // an error occurred
printMessage(err);
console.log(err)
}else{ // successful response
console.log("we here")
console.log("A KEY: "+ AWS.config.credentials.accessKeyId)
console.log("S KEY: "+ AWS.config.credentials.secretAccessKey)
console.log("SESSION TOKEN: "+ AWS.config.credentials.sessionToken)
var apigClient = apigClientFactory.newClient({
// Credentials will be available when this function is called.
accessKey : AWS.config.credentials.accessKeyId,
secretKey : AWS.config.credentials.secretAccessKey,
sessionToken: AWS.config.credentials.sessionToken
});
var params = {
// This is where any modeled request parameters should be added.
// The key is the parameter name, as it is defined in the API in API Gateway.
'uid': '34567'
};
var body = {
// This is where you define the body of the request,
'uid' : '1234'
};
var additionalParams = {
// If there are any unmodeled query parameters or headers that must be
// sent with the request, add them here.
headers: {
"Access-Control-Allow-Origin": "*"
},
queryParams: {
}
};
apigClient.helloworldGet(params, body, additionalParams)
.then(function(result){
// Add success callback code here.
console.log("SUCCESS")
console.log(result)
}).catch( function(result){
// Add error callback code here.
console.log("FAIL")
console.log(result)
});
}
});
}
我的代码有问题吗?政策?任何智慧将不胜感激:)