在移动应用程序中,我希望lambda函数仅能够访问DynamoDB中的行,其中键是调用Lambda的userId。 我已设定以下政策,但我不断获得
User: arn:aws:sts::XXX:assumed-role/FederatedIdentityRole/CognitoIdentityCredentials is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:XXX:table/UserData
欢迎任何提示。 谢谢
以下是Lambda的政策:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXX:table/UserData"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": "${cognito-identity.amazonaws.com:sub}"
}
}
}
答案 0 :(得分:-1)
我刚刚发现${cognito-identity.amazonaws.com:sub}并没有真正引用您从Cognito用户池中获得的身份验证令牌中的sub字段,而是引用了您从Cognito用户池中获得的IdentityId该用户的identityPool!