通过 Lambda 到 GetObject 的 Cognito 身份验证角色 - 调用 GetObject 操作时发生错误(AccessDenied):拒绝访问

Cognito authenticated role via Lambda to GetObject - An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

我已经尝试了所有方法,但无法得到任何线索,我的 IAM 策略与具有身份 ID 访问权限的 Cognito sub 有什么问题

我正在使用 Lambda 从 Cognito 用户使用 boto3 分隔的文件夹中获取身份验证详细信息> get_object。

这是我的 Lambda 代码:

import json
import urllib.parse
import boto3
import sys
import hmac, hashlib, base64

print('Loading function')

cognito = boto3.client('cognito-idp')
cognito_identity = boto3.client('cognito-identity')

def lambda_handler(event, context):
    print("Received event: " + json.dumps(event, indent=2))
    
    username = '{substitute_with_my_own_data}' //authenticated user
    app_client_id = '{substitute_with_my_own_data}' //cognito client id
    key = '{substitute_with_my_own_data}' //cognito app client secret key
    cognito_provider = 'cognito-idp.{region}.amazonaws.com/{cognito-pool-id}' 
    
    message = bytes(username+app_client_id,'utf-8')
    key = bytes(key,'utf-8')
    secret_hash = base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
    
    print("SECRET HASH:",secret_hash)
        
    
    auth_data = { 'USERNAME': username, 'PASSWORD':'{substitute_user_password}', 'SECRET_HASH': secret_hash}
    auth_response = cognito.initiate_auth(
        AuthFlow='USER_PASSWORD_AUTH',
        AuthParameters=auth_data,
        ClientId=app_client_id
        )
    
    print(auth_response)

    # From the response that contains the assumed role, get the temporary 
    # credentials that can be used to make subsequent API calls
    auth_result=auth_response['AuthenticationResult']
    id_token=auth_result['IdToken']
    
    id_response =  cognito_identity.get_id(
        IdentityPoolId='{sub_cognito_identity_pool_id}',
        Logins={cognito_provider: id_token}
        )
    print('id_response = ' + id_response['IdentityId']) // up to this stage verified correct user cognito identity id returned
    
    credentials_response = cognito_identity.get_credentials_for_identity(
        IdentityId=id_response['IdentityId'],
        Logins={cognito_provider: id_token}
        )
        
    secretKey = credentials_response['Credentials']['SecretKey']
    accessKey = credentials_response['Credentials']['AccessKeyId']
    sessionToken = credentials_response['Credentials']['SessionToken']
    
    print('secretKey = ' + secretKey)
    print('accessKey = ' + accessKey)
    print('sessionToken = ' + sessionToken)
    
    # Use the temporary credentials that AssumeRole returns to make a 
    # connection to Amazon S3  
    s3 = boto3.client(
        's3',
        aws_access_key_id=accessKey, 
        aws_secret_access_key=secretKey, 
        aws_session_token=sessionToken,
    )
    
    # Use the Amazon S3 resource object that is now configured with the 
    # credentials to access your S3 buckets. 
    # for bucket in s3.buckets.all():
    #     print(bucket.name)
    

    # Get the object from the event and show its content type
    bucket = '{bucket-name}'
    key = 'abc/{user_cognito_identity_id}/test1.txt'
    prefix = 'abc/{user_cognito_identity_id}'
    
    try:
        response = s3.get_object(
            Bucket=bucket,
            Key=key
        )
        # response = s3.list_objects(
        #     Bucket=bucket,
        #     Prefix=prefix,
        #     Delimiter='/'
        # )
        print(response)
        return response
    except Exception as e:
        print(e)
        print('Error getting object {} from bucket {}. Make sure they exist and your bucket is in the same region as this function.'.format(key, bucket))
        raise e

我验证的内容:

看来 IAM 政策有问题

IAM 政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket-name"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "*/${cognito-identity.amazonaws.com:sub}/*"
                    ]
                }
            }
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket-name/cognito/${cognito-identity.amazonaws.com:sub}/",
                "arn:aws:s3:::bucket-name/cognito/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
}

我尝试列出存储桶/获取对象/放置对象,所有访问均被拒绝。

我确实尝试过一些政策,例如删除 listbucket 条件(显然它允许访问,因为我已经通过身份验证)/将“s3:prefix”更改为“${cognito-identity.amazonaws.com:sub} /" 或 "cognito/${cognito-identity.amazonaws.com:sub}/" 但是什么都做不了。

同样适用于放置或获取对象。

我的 S3 文件夹是 bucket-name/cognito/{cognito-user-identity-id}/key

我指的是: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/

关于哪里可能出错的任何见解?

我在将 GetObjectPutObject 政策 Resources

更改后设法解决了这个问题
"arn:aws:s3:::bucket-name/cognito/${cognito-identity.amazonaws.com:sub}/",
"arn:aws:s3:::bucket-name/cognito/${cognito-identity.amazonaws.com:sub}/*"

"arn:aws:s3:::bucket-name/*/${cognito-identity.amazonaws.com:sub}/",
"arn:aws:s3:::bucket-name/*/${cognito-identity.amazonaws.com:sub}/*"

而且效果神奇。我不太明白为什么 cognito 会阻止访问,因为我的存储桶在存储桶根之后有 cognito 前缀,但现在已经解决了。