CognitoIdentityCredentials无权执行:apigateway:资源获取:arn:aws:apigateway:eu-west-1 :: // restapis
当我尝试使用AWS Amplify Javascript SDK访问AWS apigateway资源时,有人可以帮忙指出问题所在。
当用户登录平台(我正在构建的门户)时,由AuthRole担任的角色能够根据允许对所有apigateway资源进行读取访问的权限来加载API目录。以下是该政策的样子:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"appsync:*",
"apigateway:GET",
"apigateway:POST",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:PUT",
"cloudformation:CreateStack",
"cloudformation:CreateStackSet",
"cloudformation:DeleteStack",
"cloudformation:DeleteStackSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:UpdateStackSet",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"cloudfront:CreateDistribution",
"cloudfront:DeleteCloudFrontOriginAccessIdentity",
"cloudfront:DeleteDistribution",
"cloudfront:GetCloudFrontOriginAccessIdentity",
"cloudfront:GetCloudFrontOriginAccessIdentityConfig",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateCloudFrontOriginAccessIdentity",
"cloudfront:UpdateDistribution",
"cognito-identity:CreateIdentityPool",
"cognito-identity:DeleteIdentityPool",
"cognito-identity:DescribeIdentity",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:SetIdentityPoolRoles",
"cognito-identity:UpdateIdentityPool",
"cognito-idp:CreateUserPool",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:DeleteUserPool",
"cognito-idp:DeleteUserPoolClient",
"cognito-idp:DescribeUserPool",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:GetUser",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:UpdateRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"s3:*",
"amplify:*"
],
"Resource": "*"
}
]
}
以上策略与authRole(用户经过身份验证时的角色)相关联,并与以下代码一起按预期工作:
public async configureAwsIdentityCredentials(): Promise<boolean> {
const sessionUser = await Auth.currentAuthenticatedUser();
const idToken = sessionUser.signInUserSession.idToken.jwtToken;
const cognitoParams = {IdentityPoolId: environment.appClient.identityPoolId, Logins: {}};
cognitoParams.Logins[environment.cognitoIdpUrl + environment.appClient.userPoolId] = idToken;
AWS.config.credentials = new AWS.CognitoIdentityCredentials(cognitoParams);
return of(true).toPromise();
}
当我需要在没有未经身份验证的用户的情况下从AWS提取资源时,就会出现问题-我已在身份池上启用了未经身份验证的访问并将上述策略附加到unauthRole上。运行以下代码时,我收到一个AWS.ICredentials实例...尽管运行该应用程序时,我收到拒绝访问错误...以下是未经身份验证的访问的代码段:
public async configureCurrentCreditialsWithoutLogin(): Promise<boolean> {
const credentials = await Auth.currentCredentials();
AWS.config.credentials = credentials;
return of(true).toPromise();
}
此处包含图像上控制台错误的textContent:
错误错误:“未捕获(承诺):AccessDeniedException:用户:arn:aws:sts :: XXXX:assumed-role / amplify-XXXX-unauthRole / CognitoIdentityCredentials未经授权执行:apigateway:对资源的获取:arn :aws:apigateway:eu-west-1 :: / restapis
请查看Cloudtrail的以下错误事件(验证和取消验证): 验证:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAUKJTJFOLBWD5XZVSP:CognitoIdentityCredentials",
"arn": "arn:aws:sts::xxx:assumed-role/xxx-authRole/CognitoIdentityCredentials",
"accountId": "xxx",
"accessKeyId": "xxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAUKJTJFOLBWD5XZVSP",
"arn": "arn:aws:iam::xxx:role/xxx-authRole",
"accountId": "xxx",
"userName": "xxx-authRole"
},
"webIdFederationData": {
"federatedProvider": "cognito-identity.amazonaws.com",
"attributes": {
"cognito-identity.amazonaws.com:amr": "[\"authenticated\",\"cognito-idp.eu-west-1.amazonaws.com/eu-west-1_cCdLTN7nA\",\"cognito-idp.eu-west-1.amazonaws.com/eu-west-1_cCdLTN7nA:CognitoSignIn:6c6f8c2e-d7e9-4e31-99dd-0c46898fd9a2\"]",
"cognito-identity.amazonaws.com:aud": "eu-west-1:2a0fcef4-dd19-4db5-955f-5e1a2865f821",
"cognito-identity.amazonaws.com:sub": "eu-west-1:d5a7dc54-67f9-4b9e-9993-91e2cfa9d624"
}
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-10T14:58:43Z"
}
}
},
"eventTime": "2020-06-10T14:58:44Z",
"eventSource": "apigateway.amazonaws.com",
"eventName": "GetRestApis",
"awsRegion": "eu-west-1",
"sourceIPAddress": "41.113.113.159",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"requestParameters": {
"limit": 20,
"template": false
},
"responseElements": null,
"requestID": "db448c52-dd00-4c51-af23-e3e51c934407",
"eventID": "b6aa7c4b-120e-49a8-b81c-2256f7ee4491",
"readOnly": true,
"eventType": "AwsApiCall",
"recipientAccountId": "xxx"
}
未认证:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAUKJTJFOLPFSCSBJPE:CognitoIdentityCredentials",
"arn": "arn:aws:sts::xxx:assumed-role/xxx-unauthRole/CognitoIdentityCredentials",
"accountId": "xxx",
"accessKeyId": "xxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAUKJTJFOLPFSCSBJPE",
"arn": "arn:aws:iam::xxx:role/xxx-unauthRole",
"accountId": "xxx",
"userName": "xxx-unauthRole"
},
"webIdFederationData": {
"federatedProvider": "cognito-identity.amazonaws.com",
"attributes": {
"cognito-identity.amazonaws.com:amr": "[\"unauthenticated\"]",
"cognito-identity.amazonaws.com:aud": "eu-west-1:2a0fcef4-dd19-4db5-955f-5e1a2865f821",
"cognito-identity.amazonaws.com:sub": "eu-west-1:05fe8797-163f-4cee-98c1-754ad268d83b"
}
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-10T14:58:00Z"
}
}
},
"eventTime": "2020-06-10T14:58:01Z",
"eventSource": "apigateway.amazonaws.com",
"eventName": "GetRestApis",
"awsRegion": "eu-west-1",
"sourceIPAddress": "169.0.135.161",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::xxx:assumed-role/xxx-unauthRole/CognitoIdentityCredentials is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:eu-west-1::/restapis",
"requestParameters": null,
"responseElements": null,
"requestID": "e9091a88-dc61-4999-8683-336fbf4fbc74",
"eventID": "977ca45c-559e-4a31-9960-41accfb1aaa7",
"readOnly": true,
"eventType": "AwsApiCall",
"recipientAccountId": "xxx"
}
0 个答案:
没有答案
相关问题
- AWS无法订阅SNS主题:CognitoIdentityCredentials无权执行:SNS:订阅
- CognitoIdentityCredentials无权执行:dynamodb:查询资源:
- 原因文档错误我获得CognitoIdentityCredentials无权执行:dynamodb:资源上的UpdateItem
- CognitoIdentityCredentials无权访问此资源
- AccessDeniedException:Cognito_tpnpoolUnauth_Role / CognitoIdentityCredentials未经授权执行:资源上的ssm:GetParameter
- CognitoIdentityCredentials无权执行:资源上的lambda:InvokeFunction
- CognitoIdentityCredentials无权执行:dynamodb:查询资源
- AWS CloudFormation:获取ApiGateway资源的PathPart属性
- CognitoIdentityCredentials无权执行:apigateway:资源获取:arn:aws:apigateway:eu-west-1 :: // restapis
- AWS Amplify-CognitoIdentityCredentials未经授权执行:资源上的sts:AssumeRole
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?