我有S3存储桶,已将其配置为使用Cognito用户池管理访问权限,如此处[https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html]所述:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket-name>",
"Condition": {
"StringLike": {
"s3:prefix": "cognito/<app-name>/"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/cognito/<app-name>/${cognito-identity.amazonaws.com:sub}*",
"arn:aws:s3:::<bucket-name>/cognito/<app-name>/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
我有一个角度网络应用程序,该应用程序使用cognito用户池对用户进行身份验证,并且我正在使用S3客户端来获取对象。我看到对cognito服务(https://cognito-identity.eu-central-1.amazonaws.com/)的调用已成功完成,并且返回了身份作为响应,但随后对s3的直接调用失败,状态码为403:
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>AAC2B5FC5C74C971</RequestId><HostId>l8AOygYbUT+Y1QhTjHydRJ9Uxc97ElSZ+l6H2RQlNglpQuZrqQPW532U6Pixil7YPZ4ugpreoSs=</HostId></Error>
这是我的代码设置AWS凭证:
buildCognitoCreds(idTokenJwt: string) {
let url = 'cognito-idp.' + CognitoUtil._REGION.toLowerCase() + '.amazonaws.com/' + CognitoUtil._USER_POOL_ID;
if (environment.cognito_idp_endpoint) {
url = environment.cognito_idp_endpoint + '/' + CognitoUtil._USER_POOL_ID;
}
let logins: CognitoIdentity.LoginsMap = {};
logins[url] = idTokenJwt;
let params = {
IdentityPoolId: CognitoUtil._IDENTITY_POOL_ID, /* required */
Logins: logins
};
let serviceConfigs = <awsservice.ServiceConfigurationOptions>{};
if (environment.cognito_identity_endpoint) {
serviceConfigs.endpoint = environment.cognito_identity_endpoint;
}
let creds = new AWS.CognitoIdentityCredentials(params, serviceConfigs);
this.setCognitoCreds(creds);
return creds;
}
我想念什么? 无论我尝试什么,我都会被拒绝访问。