我有一个Web应用程序,使用户能够轻松管理AWS资源,就像使用GUI启动Ec2实例一样。不同的用户可以使用此Web应用程序。我已经实现了我自己的用户管理。某些用户可能不希望为我的Web应用创建帐户并存储其凭据以向AWS资源发出请求。它们可能并不安全。所以,我想建立一个使用下面的流程的机制。用亚马逊登录并访问aws资源,如S3,EC2等
- 用户登录使用登录亚马逊我的web应用程序
- 登录亚马逊将提供一个访问令牌我
- 使用此令牌
- 使用这些凭据到AWS未来请求获取临时凭据资源
以这种方式,我的web-app中将不会存储永久凭证。
我使用java作为我的后端服务。那么有没有AWS APi可以这么做?
我曾尝试下面的代码:
val client = new AmazonCognitoIdentityClient(new AnonymousAWSCredentials())
val idRequest = new GetIdRequest();
idRequest.setAccountId(account-id);
idRequest.setIdentityPoolId("us-east-1:xxxx");
// If you are authenticating your users through an identity provider
// then you can set the Map of tokens in the request
val logins = new HashMap[String, String]()
providerTokens+=("www.amazon.com"->"Atza|IwE-xxxxxxxxxxxxxxxxxxx")
idRequest.setLogins(logins);
val idResp = client.getId(idRequest)
val identityId = idResp.getIdentityId()
// Create the request object
val tokenRequest = new GetOpenIdTokenRequest();
tokenRequest.setIdentityId("us-east-1:xxxxxx");
//
val tokenResp = client.getOpenIdToken(tokenRequest);
// get the OpenID token from the response
val openIdToken = tokenResp.getToken()
// you can now create a set of temporary, limited-privilege credentials to access
// your AWS resources through the Security Token Service utilizing the OpenID
// token returned by the previous API call. The IAM Role ARN passed to this call
// will be applied to the temporary credentials returned
val stsClient = new AWSSecurityTokenServiceClient(new AnonymousAWSCredentials());
val stsReq = new AssumeRoleWithWebIdentityRequest();
stsReq.setRoleArn("arn:aws:iam::account-id:role/Cognito_Auth_Role");
stsReq.setWebIdentityToken(openIdToken);
stsReq.setRoleSessionName("AppTestSession");
val stsResp = stsClient.assumeRoleWithWebIdentity(stsReq);
val stsCredentials = stsResp.getCredentials();
我得到以下错误:
Access to Identity 'us-east-1:xxxxxxxxxxxxxxxx' is forbidden. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException
以下是IAM角色Cognito_Auth_Role作用的政策:
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":"cognito-sync:*",
"Resource":["arn:aws:cognito-sync:us-east-1:xxxxxxx:identitypool/${cognito-identity.amazonaws.com:aud}/identity/${cognito-identity.amazonaws.com:sub}/*"]
}]
}
这里是这个角色的信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "www.amazon.com"
}
}
}
]
}
请指点一下,这里有什么问题?
感谢
我能够用亚马逊登录并获取访问令牌。现在的问题是如何使用此令牌获取临时凭证以请求访问亚马逊服务。 –
您需要配置AWS Identity and Access Management以使用您的带有Amazon应用程序ID的登录。以下是来自AWS的关于示例用例的博客文章。 https://aws.amazon.com/blogs/aws/aws-iam-now-supports-amazon-facebook-and-google-identity-federation/ – YiddishNinja
谢谢YiddishNinja!我收到异常'禁止访问身份'us-east-1:60904206-xxxxxx'。 (服务:AmazonCognitoIdentity;状态码:400;错误代码:NotAuthorizedException'。请参阅我正在使用的代码的更新后的帖子 –