CognitoIdentityCredentials 无权对资源执行:dynamodb:Query:
CognitoIdentityCredentials is not authorized to perform: dynamodb:Query on resource:
我一直在关注 AWS 文档和使用 DynamoDB 的示例代码,但我的进度已经停止。正确设置我的 Cognito 用户 Pool/Identity 和 IAM 角色后,我无法再查询我的 DynamoDB table。我能够 运行 扫描、删除和 GetItem 没有问题,但不能 运行 查询。我的未授权 IAM 角色是否正确设置为 运行 在我的 DynamoDB table 上查询?
IAM 未授权角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1474743569000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1"
]
},
{
"Sid": "Stmt1474743616000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2"
]
}
]
查询函数:
func getQuery(){
//performing a query
let dynamoDBObjectMapper = AWSDynamoDBObjectMapper.default()
let queryExpression = AWSDynamoDBQueryExpression()
//queryExpression.scanIndexForward = 1
queryExpression.indexName = "Pay"
queryExpression.keyConditionExpression = "Company = :Company AND Pay > :Pay"
queryExpression.expressionAttributeValues = [
":Company" : "TestCompany",
":Pay" : 0];
dynamoDBObjectMapper .query(DDBTableRow.self, expression: queryExpression) .continue(with: AWSExecutor.mainThread(), with: { (task:AWSTask!) -> AnyObject! in
if (task.error != nil) {
print("Error: \(task.error)")
let alertController = UIAlertController(title: "Failed to query a test table.", message: task.error!.localizedDescription, preferredStyle: UIAlertControllerStyle.alert)
let okAction = UIAlertAction(title: "OK", style: UIAlertActionStyle.cancel, handler: { (action:UIAlertAction) -> Void in
})
alertController.addAction(okAction)
self.present(alertController, animated: true, completion: nil)
} else {
if (task.result != nil) {
self.pagniatedOutput = task.result! as AWSDynamoDBPaginatedOutput
}
//self.performSegue(withIdentifier: "unwindToMainSegue", sender: self)
}
return nil
})
}
提前感谢您的任何建议!
更新 #2:
添加收到的异常:
Error: Optional(Error Domain=com.amazonaws.AWSServiceErrorDomain Code=6 "(null)"
UserInfo={__type=com.amazon.coral.service#AccessDeniedException,
Message=User: arn:aws:sts::XXXXXXXXXX:assumed-role/Cognito_testUserUnauth_Role/CognitoIdentityCredentials is
not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1/index/Pay})
更新 #3:
问题出在我的 IAM 角色中的 Resource 参数上。我做了一个小改动,现在可以查询了。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1474743569000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1",
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1/index/*"
]
},
{
"Sid": "Stmt1474743616000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2",
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2/index/*"
]
}
]
更新 #3:问题出在我的 IAM 角色中的 Resource 参数上。我做了一个小改动,现在可以查询了。
{"Version": "2012-10-17","Statement": [
{
"Sid": "Stmt1474743569000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1",
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1/index/*"
]
},
{
"Sid": "Stmt1474743616000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2",
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2/index/*"
]
}
]
我一直在关注 AWS 文档和使用 DynamoDB 的示例代码,但我的进度已经停止。正确设置我的 Cognito 用户 Pool/Identity 和 IAM 角色后,我无法再查询我的 DynamoDB table。我能够 运行 扫描、删除和 GetItem 没有问题,但不能 运行 查询。我的未授权 IAM 角色是否正确设置为 运行 在我的 DynamoDB table 上查询?
IAM 未授权角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1474743569000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1"
]
},
{
"Sid": "Stmt1474743616000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2"
]
}
]
查询函数:
func getQuery(){
//performing a query
let dynamoDBObjectMapper = AWSDynamoDBObjectMapper.default()
let queryExpression = AWSDynamoDBQueryExpression()
//queryExpression.scanIndexForward = 1
queryExpression.indexName = "Pay"
queryExpression.keyConditionExpression = "Company = :Company AND Pay > :Pay"
queryExpression.expressionAttributeValues = [
":Company" : "TestCompany",
":Pay" : 0];
dynamoDBObjectMapper .query(DDBTableRow.self, expression: queryExpression) .continue(with: AWSExecutor.mainThread(), with: { (task:AWSTask!) -> AnyObject! in
if (task.error != nil) {
print("Error: \(task.error)")
let alertController = UIAlertController(title: "Failed to query a test table.", message: task.error!.localizedDescription, preferredStyle: UIAlertControllerStyle.alert)
let okAction = UIAlertAction(title: "OK", style: UIAlertActionStyle.cancel, handler: { (action:UIAlertAction) -> Void in
})
alertController.addAction(okAction)
self.present(alertController, animated: true, completion: nil)
} else {
if (task.result != nil) {
self.pagniatedOutput = task.result! as AWSDynamoDBPaginatedOutput
}
//self.performSegue(withIdentifier: "unwindToMainSegue", sender: self)
}
return nil
})
}
提前感谢您的任何建议!
更新 #2: 添加收到的异常:
Error: Optional(Error Domain=com.amazonaws.AWSServiceErrorDomain Code=6 "(null)"
UserInfo={__type=com.amazon.coral.service#AccessDeniedException,
Message=User: arn:aws:sts::XXXXXXXXXX:assumed-role/Cognito_testUserUnauth_Role/CognitoIdentityCredentials is
not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1/index/Pay})
更新 #3: 问题出在我的 IAM 角色中的 Resource 参数上。我做了一个小改动,现在可以查询了。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1474743569000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1",
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1/index/*"
]
},
{
"Sid": "Stmt1474743616000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2",
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2/index/*"
]
}
]
更新 #3:问题出在我的 IAM 角色中的 Resource 参数上。我做了一个小改动,现在可以查询了。
{"Version": "2012-10-17","Statement": [
{
"Sid": "Stmt1474743569000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1",
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable1/index/*"
]
},
{
"Sid": "Stmt1474743616000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2",
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXXX:table/MyTable2/index/*"
]
}
]