AWS Cognito:调用 getOpenIdToken() 时禁止访问身份
AWS Cognito: Access to Identity is forbidden when calling getOpenIdToken()
成功获取cognito身份后,我们再尝试获取openIdToken()
AWS.config.credentials.get(function(err) {
if (!err) {
var cognitoIdentity = new AWS.CognitoIdentity();
cognitoIdentity.getOpenIdToken({IdentityId: AWS.config.credentials.identityId}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
} else {
console.log('cognito error: ' + err);
}
});
然而这失败了:
"NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.
完整错误跟踪:
POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request)
aws-sdk.min.js:5 [AWS cognitoidentity 400 0.192s 0 retries] getOpenIdToken({IdentityId: 'us-east-1:xxxxx' })
routing.html:64 Error: Access to Identity 'us-east-1:xxxxx' is forbidden.
at a (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:3548)
at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28594)
at r.SequentialExecutor.r.util.inherit.emit (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28390)
at a.Request.n.emitEvent (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16483)
at u.setupStates.e (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12946)
at r.runTo (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25031)
at https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25238
at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12982)
at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16538)
at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28607) "NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.
此错误的两个最常见原因是:
- 您没有在身份池配置中正确设置角色。
- 您正试图在不提供身份提供者提供的令牌的情况下为经过身份验证的身份获取令牌。
请针对上述两种情况检查您的代码,如果错误仍然存在,请将您的 identityId/identityPoolId 私信给我,我很乐意深入挖掘。
谢谢,
拉集
成功获取cognito身份后,我们再尝试获取openIdToken()
AWS.config.credentials.get(function(err) {
if (!err) {
var cognitoIdentity = new AWS.CognitoIdentity();
cognitoIdentity.getOpenIdToken({IdentityId: AWS.config.credentials.identityId}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
} else {
console.log('cognito error: ' + err);
}
});
然而这失败了:
"NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.
完整错误跟踪:
POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request)
aws-sdk.min.js:5 [AWS cognitoidentity 400 0.192s 0 retries] getOpenIdToken({IdentityId: 'us-east-1:xxxxx' })
routing.html:64 Error: Access to Identity 'us-east-1:xxxxx' is forbidden.
at a (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:3548)
at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28594)
at r.SequentialExecutor.r.util.inherit.emit (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28390)
at a.Request.n.emitEvent (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16483)
at u.setupStates.e (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12946)
at r.runTo (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25031)
at https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25238
at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12982)
at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16538)
at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28607) "NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.
此错误的两个最常见原因是:
- 您没有在身份池配置中正确设置角色。
- 您正试图在不提供身份提供者提供的令牌的情况下为经过身份验证的身份获取令牌。
请针对上述两种情况检查您的代码,如果错误仍然存在,请将您的 identityId/identityPoolId 私信给我,我很乐意深入挖掘。
谢谢,
拉集