使用 Cognito 未经身份验证访问 AWS 服务
Unauthenticated access to AWS services using Cognito
我正在尝试编写一个简单的 JavaScript(在浏览器中为 运行),它将使用 describeApplications 函数获取有关我的 Beanstalk 应用程序的信息。我创建了 Cognito 身份池,其中设置了未经身份验证的访问复选框,并将 AWSElasticBeanstalkReadOnlyAccess 策略附加到身份池的角色。
代码如下:
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.134.0.min.js"></script>
<script>
AWS.config.region = 'eu-west-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:....',
});
var elasticbeanstalk = new AWS.ElasticBeanstalk();
elasticbeanstalk.describeApplications({}, function (err, data) {
if (err) {
console.log(err);
console.log(err.stack);
} else {
console.log(data);
}
});
这是控制台中的输出:
{ResponseMetadata: {…}, Applications: Array(0)}
应用程序数组为空!但我肯定在 eu-west-1 地区有申请。
为了进行简单测试,我创建了一个用户,附加了相同的策略和硬编码的用户凭据,而不是 CognitoIdentityCredentials:
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.134.0.min.js"></script>
<script>
AWS.config.region = 'eu-west-1'; // Region
AWS.config.accessKeyId = '...';
AWS.config.secretAccessKey = '...';
var elasticbeanstalk = new AWS.ElasticBeanstalk();
elasticbeanstalk.describeApplications({}, function (err, data) {
if (err) {
console.log(err);
console.log(err.stack);
} else {
console.log(data);
}
});
瞧,我看到了我的 beantalk 应用程序:
{ResponseMetadata: {…}, Applications: Array(1)}
我做了其他测试。我尝试使用 unauth 列出 S3 存储桶。 access 和 Cognito - 它也有效。那意味着我的未授权。角色已正确附加和应用。但是我不知道,为什么我在 beantalk 中看不到应用程序!
未经身份验证的访问和 Cognito 我做错了什么?任何帮助将不胜感激!
更新!
感谢 Mike Patrick 指出了正确的方向!
我切换到基本身份验证流程,仅此而已。这是工作代码:
AWS.config = {
apiVersions: { elasticbeanstalk: '2010-12-01' },
region: 'eu-west-1',
credentials: new AWS.WebIdentityCredentials({
RoleArn: 'my role arn'
})
};
var cognitoidentity = new AWS.CognitoIdentity(),
elasticbeanstalk = new AWS.ElasticBeanstalk();
var params = {
IdentityPoolId: 'my cognito identity pool id', /* required */
};
cognitoidentity.getId(params, function(err, data) {
if (err){
console.log(err, err.stack); // an error occurred
} else {
var params = {
IdentityId: data.IdentityId
};
cognitoidentity.getOpenIdToken(params, function(err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
} else {
AWS.config.credentials.params.WebIdentityToken = data.Token;
//here we go, elasticbeanstalk functions work as expected
}
});
}
});
我不相信你做错了什么;我也无法完成这项工作。我怀疑你可能是亚马逊的受害者 "protecting" 你自己。
来自 "Access Policies" 下的 http://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html:
For additional security protection, Amazon Cognito applies a
scope-down policy to credentials vended by GetCredentialForIdentity to
prevent access to services other than these to your unauthenticated
users:
... list of services that does NOT include Elastic Beanstalk ...
If you need access to something other than these services for your
unauthenticated users, you must use the basic authentication flow.
这似乎表明,无论您为 Cognito Unauthenticated 角色附加什么策略,AWS 都会 "scope it down"。
如果是这种情况,您 喜欢 看到 NotAuthorizedException 的一些证据(通常在回复 header 中),但我找不到。
我正在尝试编写一个简单的 JavaScript(在浏览器中为 运行),它将使用 describeApplications 函数获取有关我的 Beanstalk 应用程序的信息。我创建了 Cognito 身份池,其中设置了未经身份验证的访问复选框,并将 AWSElasticBeanstalkReadOnlyAccess 策略附加到身份池的角色。
代码如下:
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.134.0.min.js"></script>
<script>
AWS.config.region = 'eu-west-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:....',
});
var elasticbeanstalk = new AWS.ElasticBeanstalk();
elasticbeanstalk.describeApplications({}, function (err, data) {
if (err) {
console.log(err);
console.log(err.stack);
} else {
console.log(data);
}
});
这是控制台中的输出:
{ResponseMetadata: {…}, Applications: Array(0)}
应用程序数组为空!但我肯定在 eu-west-1 地区有申请。
为了进行简单测试,我创建了一个用户,附加了相同的策略和硬编码的用户凭据,而不是 CognitoIdentityCredentials:
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.134.0.min.js"></script>
<script>
AWS.config.region = 'eu-west-1'; // Region
AWS.config.accessKeyId = '...';
AWS.config.secretAccessKey = '...';
var elasticbeanstalk = new AWS.ElasticBeanstalk();
elasticbeanstalk.describeApplications({}, function (err, data) {
if (err) {
console.log(err);
console.log(err.stack);
} else {
console.log(data);
}
});
瞧,我看到了我的 beantalk 应用程序:
{ResponseMetadata: {…}, Applications: Array(1)}
我做了其他测试。我尝试使用 unauth 列出 S3 存储桶。 access 和 Cognito - 它也有效。那意味着我的未授权。角色已正确附加和应用。但是我不知道,为什么我在 beantalk 中看不到应用程序!
未经身份验证的访问和 Cognito 我做错了什么?任何帮助将不胜感激!
更新!
感谢 Mike Patrick 指出了正确的方向!
我切换到基本身份验证流程,仅此而已。这是工作代码:
AWS.config = {
apiVersions: { elasticbeanstalk: '2010-12-01' },
region: 'eu-west-1',
credentials: new AWS.WebIdentityCredentials({
RoleArn: 'my role arn'
})
};
var cognitoidentity = new AWS.CognitoIdentity(),
elasticbeanstalk = new AWS.ElasticBeanstalk();
var params = {
IdentityPoolId: 'my cognito identity pool id', /* required */
};
cognitoidentity.getId(params, function(err, data) {
if (err){
console.log(err, err.stack); // an error occurred
} else {
var params = {
IdentityId: data.IdentityId
};
cognitoidentity.getOpenIdToken(params, function(err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
} else {
AWS.config.credentials.params.WebIdentityToken = data.Token;
//here we go, elasticbeanstalk functions work as expected
}
});
}
});
我不相信你做错了什么;我也无法完成这项工作。我怀疑你可能是亚马逊的受害者 "protecting" 你自己。
来自 "Access Policies" 下的 http://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html:
For additional security protection, Amazon Cognito applies a scope-down policy to credentials vended by GetCredentialForIdentity to prevent access to services other than these to your unauthenticated users:
... list of services that does NOT include Elastic Beanstalk ...
If you need access to something other than these services for your unauthenticated users, you must use the basic authentication flow.
这似乎表明,无论您为 Cognito Unauthenticated 角色附加什么策略,AWS 都会 "scope it down"。
如果是这种情况,您 喜欢 看到 NotAuthorizedException 的一些证据(通常在回复 header 中),但我找不到。