承担Cognito组的IAM角色

时间:2020-07-18 14:38:42

标签: c# amazon-web-services amazon-cognito amazon-iam

是否可以承担与Cognito用户池iam-role1中Cognito用户cognito-group1的Cognito组cognito-user1关联的IAM角色cognito-user-pool1

我的配置:

认知用户池cognito-user-pool1

  • 认知用户cognito-user1属于cognito-group1
  • 认知组cognito-group1已分配给iam-role1

认知身份池cognito-identity-pool1

  • 身份验证提供者:cognito-user-pool1
  • 经过身份验证的角色= iam-role1

IAM:

  • IAM角色iam-role1具有访问S3 ReadOnly的策略

此代码允许我向Cognito用户池进行身份验证:

AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient();
            CognitoUserPool userPool = new CognitoUserPool("user-pool-id", "client-id", provider);
            CognitoUser user = new CognitoUser("cognito-user1", "client-id", userPool, provider);
            InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest()
            {
                Password = "cognito-password1"
            };

            AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(authRequest);

然后从链接到认知用户池cognito-identity-pool1的认知身份池cognito-user-pool1获取凭据:

CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1); 
using (var client = new AmazonS3Client(credentials))
...

1 个答案:

答案 0 :(得分:0)

通过Cognito用户池cognito-user-pool1对用户进行身份验证时,id令牌包括cognito组和iam角色:

"cognito:groups": [
    "cognito-group1"
  ],
"cognito:roles": [
    "arn:aws:iam::xxx:role/iam-role1"
  ],

我们需要配置Cognito身份池,以便在验证用户身份后从令牌中选择角色: enter image description here

我们还需要通过在IAM角色iam-role1中编辑信任关系来允许Cognito身份池承担此角色:

{
  "Version": "2012-10-17",
  "Statement": [
    ...
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity"
    }
  ]
}

enter image description here

相关问题
最新问题