如何为 AWSAssumeRoleWebIdentity 设置 OIDC 提供商
How to set OIDC provider for AWSAssumeRoleWebIdentity
我正在开发一个 android 应用程序,它使用 firebase authentication 进行登录并使用 AWS S3 和 dynamodb 进行管理 data/images。我正在尝试通过 AWSAssumeRoleWebIdentity 委托对 AWS 资源的访问。我这样做的原因是 AWS Sign-In UI 不允许对 UI 和 UI 流程进行足够的自定义。我决定仅使用 firebase authentication 进行登录和注册。
请找到源代码和OIDC Provider设置。他们的错误日志是
No OpenIDConnect provider found in your account for https://securetoken.google.com/[project-name] (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: 37607060-9e1c-11e8-8ae0-636eae27c3bf)
AWS IAM 的身份提供程序已创建,名称为 "securetoken.google.com/[my-project-name]/",我创建的指纹指的是 [1] 和在 Credentials 中获得的 OAuth 2.0 客户端 ID =21=].
源码如下所示
public void uploadImageFile() {
CustomLog.logI("start of uploadImageFile");
setIDToken();
}
private void setIDToken() {
FirebaseUser mUser = FirebaseAuth.getInstance().getCurrentUser();
// To get ID Token of the user authenticated by google authentication
mUser.getIdToken(true)
.addOnCompleteListener(new OnCompleteListener<GetTokenResult>() {
public void onComplete (@NonNull Task< GetTokenResult > task) {
if (task.isSuccessful()) {
// Token information is set to mIDToken of the global variable
mIDToken = task.getResult().getToken();
AsyncTaskForAssumeRole asyncTaskForAssumeRole = new AsyncTaskForAssumeRole();
asyncTaskForAssumeRole.execute();
} else {
CustomLog.logE(task.getException().getMessage());
}
}
});
}
public class AsyncTaskForAssumeRole extends AsyncTask<Void, Void, BasicSessionCredentials> {
protected BasicSessionCredentials doInBackground(Void... params) {
try {
// set credentials from AssumeRoleWithWebIdentity
BasicSessionCredentials credentials = setAssumeRoleWithWebIdentity();
return credentials;
} catch (Exception e) {
CustomLog.logE(e.getMessage());
return null;
}
}
protected void onPostExecute(BasicSessionCredentials credentials) {
// upload file with S3 connection
connectToS3ForUpload(credentials);
}
}
private BasicSessionCredentials setAssumeRoleWithWebIdentity(){
CustomLog.logD("start of setAssumeRoleWithWebIdentity");
String ROLE_ARN = [my role arn];
// set AssumeRoleWithWebIdentity request with created policy and token information retrieved through Google Sign in information
AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest()
.withWebIdentityToken(mIDToken)
.withRoleArn(ROLE_ARN)
.withRoleSessionName("wifsession");
BasicAWSCredentials basicCreds = new BasicAWSCredentials("", "");
AWSSecurityTokenServiceClient sts = new AWSSecurityTokenServiceClient(basicCreds);
AssumeRoleWithWebIdentityResult result = sts.assumeRoleWithWebIdentity(request);
Credentials stsCredentials = result.getCredentials();
String subjectFromWIF = result.getSubjectFromWebIdentityToken();
BasicSessionCredentials credentials = new BasicSessionCredentials(stsCredentials.getAccessKeyId(),
stsCredentials.getSecretAccessKey(),
stsCredentials.getSessionToken());
return credentials;
}
非常感谢。
[1] http://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html
考虑使用 Amazon Cognito 联合身份(身份池)将用户从您的身份提供商联合(映射)到 Amazon Cognito 并获得 Cognito 身份 ID,该 ID 可用于授权访问 AWS 资源。有关详细信息,请参阅 https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html。
Map<String, String> logins = new HashMap<String, String>();
logins.put("login.provider.com", token);
credentialsProvider.setLogins(logins);
现在,您可以将 credentialsProvider 对象与 Amazon S3 客户端一起使用。
AmazonS3 s3Client = new AmazonS3Client(getApplicationContext(), credentialsProvider);
我正在开发一个 android 应用程序,它使用 firebase authentication 进行登录并使用 AWS S3 和 dynamodb 进行管理 data/images。我正在尝试通过 AWSAssumeRoleWebIdentity 委托对 AWS 资源的访问。我这样做的原因是 AWS Sign-In UI 不允许对 UI 和 UI 流程进行足够的自定义。我决定仅使用 firebase authentication 进行登录和注册。
请找到源代码和OIDC Provider设置。他们的错误日志是
No OpenIDConnect provider found in your account for https://securetoken.google.com/[project-name] (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: 37607060-9e1c-11e8-8ae0-636eae27c3bf)
AWS IAM 的身份提供程序已创建,名称为 "securetoken.google.com/[my-project-name]/",我创建的指纹指的是 [1] 和在 Credentials 中获得的 OAuth 2.0 客户端 ID =21=].
源码如下所示
public void uploadImageFile() {
CustomLog.logI("start of uploadImageFile");
setIDToken();
}
private void setIDToken() {
FirebaseUser mUser = FirebaseAuth.getInstance().getCurrentUser();
// To get ID Token of the user authenticated by google authentication
mUser.getIdToken(true)
.addOnCompleteListener(new OnCompleteListener<GetTokenResult>() {
public void onComplete (@NonNull Task< GetTokenResult > task) {
if (task.isSuccessful()) {
// Token information is set to mIDToken of the global variable
mIDToken = task.getResult().getToken();
AsyncTaskForAssumeRole asyncTaskForAssumeRole = new AsyncTaskForAssumeRole();
asyncTaskForAssumeRole.execute();
} else {
CustomLog.logE(task.getException().getMessage());
}
}
});
}
public class AsyncTaskForAssumeRole extends AsyncTask<Void, Void, BasicSessionCredentials> {
protected BasicSessionCredentials doInBackground(Void... params) {
try {
// set credentials from AssumeRoleWithWebIdentity
BasicSessionCredentials credentials = setAssumeRoleWithWebIdentity();
return credentials;
} catch (Exception e) {
CustomLog.logE(e.getMessage());
return null;
}
}
protected void onPostExecute(BasicSessionCredentials credentials) {
// upload file with S3 connection
connectToS3ForUpload(credentials);
}
}
private BasicSessionCredentials setAssumeRoleWithWebIdentity(){
CustomLog.logD("start of setAssumeRoleWithWebIdentity");
String ROLE_ARN = [my role arn];
// set AssumeRoleWithWebIdentity request with created policy and token information retrieved through Google Sign in information
AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest()
.withWebIdentityToken(mIDToken)
.withRoleArn(ROLE_ARN)
.withRoleSessionName("wifsession");
BasicAWSCredentials basicCreds = new BasicAWSCredentials("", "");
AWSSecurityTokenServiceClient sts = new AWSSecurityTokenServiceClient(basicCreds);
AssumeRoleWithWebIdentityResult result = sts.assumeRoleWithWebIdentity(request);
Credentials stsCredentials = result.getCredentials();
String subjectFromWIF = result.getSubjectFromWebIdentityToken();
BasicSessionCredentials credentials = new BasicSessionCredentials(stsCredentials.getAccessKeyId(),
stsCredentials.getSecretAccessKey(),
stsCredentials.getSessionToken());
return credentials;
}
非常感谢。
[1] http://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html
考虑使用 Amazon Cognito 联合身份(身份池)将用户从您的身份提供商联合(映射)到 Amazon Cognito 并获得 Cognito 身份 ID,该 ID 可用于授权访问 AWS 资源。有关详细信息,请参阅 https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html。
Map<String, String> logins = new HashMap<String, String>();
logins.put("login.provider.com", token);
credentialsProvider.setLogins(logins);
现在,您可以将 credentialsProvider 对象与 Amazon S3 客户端一起使用。
AmazonS3 s3Client = new AmazonS3Client(getApplicationContext(), credentialsProvider);