是否可以创建一个信任,允许来自 cognito 的联合用户根据自定义属性承担角色?

Is it possible to create a trust that allow federated users from cognito to assume role according to a custom attribute?

是否可以创建信任以允许来自 cognito 的联合用户根据自定义属性承担角色?

例如 tenant 属性:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-corner-cafe-123456790ab"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "unauthenticated"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:custom:tenant": "tenant-name"
        }
      }
    }
  ]
}

我正在使用 get_credentials_for_identity api 和认知令牌来承担这个角色。

是的,这绝对可以通过访问控制属性实现。这仅适用于经过身份验证的用户(您需要 ID 令牌才能将声明映射到主体标签)。

  1. 您的信任策略需要如下所示:
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-corner-cafe-123456790ab"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            },
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            }
        }
    ]
}

区别在于 sts:TagSession 操作和 amr 必须是 authenticated 的事实。

  1. 担任角色的政策如下所示:
{
    "PolicyDocument": {
        "Statement": [
            {
                "Action": "s3:GetObject",
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::your-bucket-name/cognito/attributes/by_family_name/${aws:PrincipalTag/family_name}/*"
            },
            {
                "Action": "s3:GetObject",
                "Condition": {
                    "StringEquals": {
                        "s3:ExistingObjectTag/given_name": "${aws:PrincipalTag/given_name}"
                    }
                },
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::your-bucket-name/cognito/attributes/by_tag/*"
            }
        ],
        "Version": "2012-10-17"
    },
    "PolicyName": "attributes-policy"
}
  1. 您需要在身份池中配置您的 Cognito(或任何其他)提供商,以在从令牌到标签的声明之间进行映射。您可以在 Attributes for access control 下的控制台中执行此操作。或者像这样使用 CLI:
aws cognito-identity set-principal-tag-attribute-map --cli-input-json file://set-principal-tag-attribute-map.json

其中 set-principal-tag-attribute-map.json 看起来像这样(对于作为 IDP 的 Cognito):

{
    "IdentityPoolId": "here-is-your-identity-pool-id",
    "IdentityProviderName": "cognito-idp.<region>.amazonaws.com/<user_pool_id>",
    "UseDefaults": false,
    "PrincipalTags": {
        "given_name": "given_name",
        "family_name": "family_name"
    }
}

您可以在此处的文档中找到更多详细信息:https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html