大家好,我現在轉了一天多,可以找出問題所在。
我需要的:
- 在我的網路應用程式上驗證我的用戶以控制對存盤桶的訪問
- 允許每個用戶僅訪問我存盤桶中的特定檔案夾
我做了什么
- 使用客戶端應用程式和聯合池創建一個 cognito 用戶組
- 將我的聯合池鏈接到我的 Cognito 用戶組
- 使用以下道具創建一個存盤桶
A. 公共訪問
B. CORS
C. 在 vuejs 中創建一個登錄表單并開始使用 AWS-SDK 進行身份驗證到 cognito
<script >
import * as AmazonCognitoIdentity from 'amazon-cognito-identity-js'
import * as AWS from 'aws-sdk'
import AwsConfig from '@/config/ConfigAws.js'
export default {
data () {
return {
username: '',
password: '',
email: '',
access_token: null,
id_token: null,
}
},
methods: {
AWS_auth () {
AWS.config.update({ region: AwsConfig.default_region })
var authenticationData = {
Username: this.email,
Password: this.password
}
var userData = {
Username: this.email,
Pool: userPool
}
var poolData = {
UserPoolId: AwsConfig.cognito_UserPoolId,
ClientId: AwsConfig.cognito_client_ID
}
var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails(authenticationData)
var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData)
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: (result) => {
console.log('success auth')
// isolate acces token
var accessToken = result.getAccessToken().getJwtToken()
// isolate id token, id token has to get used for API gateway auth
var idToken = result.idToken.jwtToken
// Update AWS config credentials to store credentials for the session
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:aaaaaaaaa-XXXXX-4a99-b606-YYYYYYYYYY',
Logins: { 'cognito-idp.eu-west-1.amazonaws.com/eu-west-1_jjrr8877rL': idToken }
})
// store in template data both token
this.access_token = accessToken
this.id_token = idToken
// store in local storage both token, this storage is helpfull at new connexion, to avoir connexion path
localStorage.labelingAPPAccessToken = accessToken
localStorage.labelingAPPIdToken = idToken
this.$store.state.UserAccesToken = localStorage.labelingAPPAccessToken
// Get COgnito UserData and custom data
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider()
cognitoidentityserviceprovider.getUser(
{
AccessToken: accessToken /* required */
},
(err, data, vm) => {
if (err) {console.log(err, err.stack)}
if (data) { console.log('Authentication success') }
var newdata = data.UserAttributes
Object.assign(newdata, { IdentityID: String(AWS.config.credentials.identityId) })
localStorage.setItem('SessionFaaSPlateformStorage4f66b04b5460f2a9d13b', JSON.stringify(newdata))
this.$store.state.Userdata = newdata
this.loader_active = false
this.$router.push('Dashboard/DashboardHome')
if (err) {
console.log(err, err.stack)
}
}
)
console.log('IdentityID')
console.log(String(AWS.config.credentials.identityId))
},
onFailure: function (err) {
console.log('Auth failed')
console.log(err, err.stack)
}
})
}
}
</script >
到目前為止一切順利,我得到了我需要的所有東西,我的不同令牌、userId、UserDate 和 AppID
- 配置不同的角色和策略以允許用戶使用 AWS 服務。我檢索“plateform_cognito_Role,生成并鏈接到我的聯合用戶池,其中包含以下內容
A. 信任關系
B. 權限 => 鏈接到自定義策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"arn:aws:cognito-sync:eu-west-1:454545454545:identitypool/eu-west-1_sssssssss/identity/*/dataset/*",
"arn:aws:cognito-sync:eu-west-1:454545454545:identitypool/eu-west-1_sssssssss",
"arn:aws:cognito-sync:eu-west-1:454545454545:identitypool/eu-west-1_sssssssss/identity/*"
]
},
{
"Sid": "VisualEditordynamo",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:eu-west-1:454545454545:table/FaasCloudPlateform_Functions/index/*",
"arn:aws:dynamodb:eu-west-1:454545454545:table/FaasCloudPlateform_Functions",
"arn:aws:dynamodb:eu-west-1:454545454545:table/FaasCloudPlateform_Users/index/*",
"arn:aws:dynamodb:eu-west-1:454545454545:table/FaasCloudPlateform_Users"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::faascloudplatform",
"arn:aws:s3:::faascloudplatform/*"
]
}
]
}
在這個階段,一切都像魅力一樣作業,我可以毫無問題地與 dynamo 和 S3 互動。
現在我想隔離每個 cognito 用戶,使其只能訪問他自己在 bucker 中的特定檔案夾
我修改以前的政策,如
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::faascloudplatform/Users/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::faascloudplatform/Users/${cognito-identity.amazonaws.com:sub}/*"
]
}
在我的客戶端 Web 應用程式中進行身份驗證時,身份 ID 看起來像“eu-west-1:fec78-0000-36b-80bd-8e1c54ce”女巫似乎很好,所以我去我的 S3 存盤,用我的身份 ID 名稱創建一個檔案夾和在里面放一個測驗檔案。我的檔案的關鍵是“Users/eu-west-1:eu-west-1:fec78-0000-36b-80bd-8e1c54ce/avatar.PNG”
回到我的 web 應用程式中,我使用 aws-S3 使用我之前使用的相同方法查詢物件
async function S3getObject (BucketName, KeyName) {
var params = {
Bucket: BucketName,
Key: KeyName
}
var s3 = new AWS.S3({
apiVersion: '2006-03-01'
})
const data = (await (s3.getObject(params).promise()))
return data
}
戲劇來了……我得到了一個錯誤的承諾回報
我很掙扎,已經被困了一段時間。
將不勝感激一點幫助。
非常感謝
uj5u.com熱心網友回復:
我自己得到它。我很接近錯過了政策中的一個要素。
我在我的策略中添加了一個串列物件,現在一切都很好
{
"Sid": "ListYourObjects",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::faascloudplatform"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Users/${cognito-identity.amazonaws.com:sub}"
]
}
}
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qukuanlian/430398.html