我们的基本应用流程如下:
反应应用程序:用户登录--->使用cognito进行身份验证->然后重定向到门户网站,他们可以在其中将文件上传到s3
s3中“文件夹”的构造方式如下: 每个用户的电子邮件在s3存储桶中都有一个文件夹/密钥(我们称此存储桶为“ testbucket”)。
因此,如果我的电子邮件是john@google.com,则它将如下所示:存储桶-testbucket,密钥-john@google.com
John只能上载到该文件夹。
现在我的问题是,现在我正在检查“密钥”是否存在,如果没有拒绝对s3的请求。但是,在添加了KMS层之后,我想知道,在节点中发出请求时是否传递kms“主密钥”?如果是这样,我是否只是将密钥保存在例如env变量中,并在进行调用时将其传递给它?
此外,我是否可以在策略中添加一些内容,以将访问权限与已验证的身份验证或用户电子邮件联系起来?如果可以的话,我能举个例子吗? (如何实施示例政策)
编辑1:策略用户
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"cognito/users/"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListObject"
],
"Resource": [
"arn:aws:s3:::mybucket/cognito/users/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::mybucket/cognito/users/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
编辑2:修改后的政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"cognito/users/"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/cognito/users/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::mybucket/cognito/users/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
然后我像这样进行api调用:
var authenticate = (val) => {
var userData = {
Username: val.user, // your username here
Pool: userPool
};
var authenticationData = {
Username: val.user, // your username here
Password: val.pass, // your password here
};
var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails(authenticationData);
var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function(result) {
var accessToken = result.getAccessToken().getJwtToken();
var idtoken = result.getIdToken().getJwtToken();
var params = {
IdentityPoolId: 'ca-central-1:****',
Logins: {
'cognito-idp.ca-central-1.amazonaws.com/****': result.getIdToken().getJwtToken()
}
}
var cognitoidentity = new AWS.CognitoIdentity();
cognitoidentity.getId(params, function(err, data) {
if (err) console.log(err);
else {
var id = data.IdentityId;
console.log(id);
var params = {
Bucket: 'mybucket',
Key: `cognito/users/${id}/image.jpg`
};
s3.getObject(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
}
});
},
onFailure: function(err) {
console.log("---------")
console.log(`this is ${JSON.stringify(err)}`);
}
});
}
最新编辑:
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function(result) {
var accessToken = result.getAccessToken().getJwtToken();
var idtoken = result.getIdToken().getJwtToken();
var params = {
IdentityPoolId: 'ca-central-1:***',
Logins: {
'cognito-idp.ca-central-1.amazonaws.com/***': result.getIdToken().getJwtToken()
}
}
var cognitoidentity = new AWS.CognitoIdentity();
cognitoidentity.getId(params, function(err, data) {
if (err) console.log(err);
else {
// console.log(data);
var id = data.IdentityId;
console.log(id);
var params = {
IdentityId: `${id}`,
Logins: {
'cognito-idp.ca-central-1.amazonaws.com/***': result.getIdToken().getJwtToken()
}
};
cognitoidentity.getCredentialsForIdentity(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else {
// console.log(data); // successful response
var creds = new AWS.Credentials({
accessKeyId: `${data.Credentials.AccessKeyId}`,
secretAccessKey: `${data.Credentials.secretAccessKey}`,
sessionToken: `${data.Credentials.SessionToken}`
})
var s3 = new AWS.S3(creds);
console.log(creds);
var params = {};
s3.listBuckets(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
}
});
}
});