我正在使用AWS Cognito增强(简化)流程来获取Cognito身份凭证,该凭证提供使用Google登录api登录后收到的idToken:
export function getAWSCredentialWithGoogle(authResult) {
if (authResult['idToken'] != null) {
AWS.config.region = 'eu-central-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-central-1:xxxxxxxxxxxxxxxxxxxxxxxx',
Logins: {
'accounts.google.com': authResult['idToken']
}
})
return AWS.config.credentials.getPromise()
.then(
function(){
return getAWSCredentials(AWS.config.credentials);
},
function(err) {
}
)
} else {
console.log('no auth code found!');
}
}
我得到了:
accessKeyId:“ ASIAXXXXXX”, secretAccessKey:“ ta4eqkCcxxxxxxxxxxxxxxxxxxxxxx”, sessionToken:“ xxxxxxxxx ...等...”
然后,我尝试将图片上传到S3存储桶中,并传递以上收到的accessKeyId和secretAccessKey。 但我收到此错误结果:
InvalidAccessKeyId您提供的AWS访问密钥ID在我们的记录中不存在。ASIAXXXXXXXXXXXXXXXX
这是我设置AWS S3(托管)策略(存储桶的资源策略是默认策略)以编程方式访问存储桶的方法:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::xxxxxxxxxx",
"arn:aws:s3:::xxxxxxxxxx/users"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${cognito-identity.amazonaws.com:sub}/*"
]
}
}
},
{
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:PutObjectVersionAcl",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::xxxxxxxxx/users/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::xxxxxxxxx/users/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
此策略已附加到具有以下信任关系的IAM角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "eu-central-1xxxxxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
我已经正确配置了联合身份池以使用此角色,并将Google添加为OpenID Connect提供程序。 通过提供用户池ID和应用程序客户端ID,我还将Cognito身份池配置为接受与Cognito用户池联合的用户。
我想授予任何经过Google登录身份验证的用户,可以访问S3存储桶,并拥有对其自己目录的读/写权限。