自定义基于Cognito角色的IAM角色

时间:2020-06-09 09:23:00

标签: javascript amazon-web-services amazon-cognito amazon-quicksight

我已为用户启用Quicksight SSO,所有用户将具有相同的IAM角色。这是创建的IAM角色。

      AuthorRole:
Type: "AWS::IAM::Role"
Properties:
  RoleName: "author-role-quicksight"
  AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      -
        Effect: "Allow"
        Principal:
          Federated:
            - "cognito-identity.amazonaws.com"
        Action:
          - "sts:AssumeRoleWithWebIdentity"
        Condition:
          StringEquals:
            cognito-identity.amazonaws.com:aud:
              - !Ref CognitoIdentityPool
          ForAnyValue:StringLike:
            cognito-identity.amazonaws.com:amr:
              - "authenticated"
  Path: "/"
  Policies:
    -
      PolicyName: "QuickSightCreateUser"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Action: "quicksight:CreateUser"
            Resource: "*"

这里的主要问题是,首先登录的人将其条目添加到quicksight管理器用户表中(下面添加了屏幕截图),并且所有其他能够登录但其条目未添加到用户表中的用户。这是因为Quicksight Manager用户表具有“用户名”作为IAM角色。如何自定义和更改用户名以获取唯一标识,例如电子邮件ID

enter image description here

这就是我做QuickSight SSO的方式; 

let auth = new AWSCognito.CognitoIdentityServiceProvider.CognitoAuth(authData);
 let id_token = auth.signInUserSession.idToken.jwtToken;
            let cognitoParams = {
                IdentityPoolId: identityPool,
                Logins: {}
            };
            cognitoParams.Logins["cognito-idp."+region+".amazonaws.com/"+poolId] = id_token;
            AWS.config.credentials = new AWS.CognitoIdentityCredentials(cognitoParams);
            AWS.config.getCredentials(function(){
                let req = new XMLHttpRequest();
                let creds = {
                    "sessionId":AWS.config.credentials.accessKeyId,
                    "sessionKey":AWS.config.credentials.secretAccessKey,
                    "sessionToken":AWS.config.credentials.sessionToken
                }
                let credsEncoded = encodeURIComponent(JSON.stringify(creds));
                let uri = "https://signin.aws.amazon.com/federation?Action=getSigninToken&SessionDuration=3600&Session="+credsEncoded;
                $.ajax({
                    type : 'POST',
                    url : endpoint,
                    headers : {
                        Authorization : id_token
                    },
                    data : uri,
                    success : function(response) {
                        let quickSightSSO = "https://signin.aws.amazon.com/federation?Action=login&Issuer="+thisUrlEncoded+"&Destination="+quicksightUrlEncoded+"&SigninToken="+response.SigninToken
                        console.log("Federated Sign In Token: "+response.SigninToken);
                        console.log("AWS Console Sign In URL: "+quickSightSSO);
                        window.location = quickSightSSO;
                        document.getElementById("consoleLink").innerHTML = "<a href='"+quickSightSSO+"'>"+"https://quicksight.aws.amazon.com/sn/start"+"</a>";
                        document.getElementById("loader").style.display = "none";
                        document.getElementById("instructions").style.display = 'block';
                    },

0 个答案:

没有答案
相关问题
最新问题