无权执行 sts:AssumeRoleWithWebIdentity AWS s3 Cognito 身份验证失败

Not authorized to perform sts:AssumeRoleWithWebIdentity AWS s3 Cognito auth failure

我有一个简单的 iOS 应用程序可以上传到 s3。我正在尝试 unauth 所有 - 尽管理想情况下我想做 Facebook。

2 个 IAM 角色(使用向导创建)。 IAM 身份验证策略(对于 unauth 角色):

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "mobileanalytics:PutEvents",
            "cognito-sync:*"
        ],
        "Effect": "Allow",
        "Resource": [
            "*"
        ]
      },
      {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::[mybucketname]/*"
    }

  ]
}

我的 constants.h 文件(已清理):

#define AWSID @"[12 digit num]"
#define PoolID @"us-east-1:[long id number]"
#define CRUnauth @"arn:aws:iam::[id num]:role/Cognito_Auth_DefaultRole"
#define CRAuth @"arn:aws:iam::[id num]:role/Cognito_auth_DefaultRole"

我的 appDelegate.m 文件有这个:

credentialsProvider = [AWSCognitoCredentialsProvider credentialsWithRegionType:AWSRegionUSEast1 accountId:AWSID identityPoolId:PoolID unauthRoleArn:CRUnauth authRoleArn:nil];
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionSAEast1
                                                                      credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;

我将 credentialsProvider 设置为 属性,因为我需要在某些时候添加 Facebook 登录。

我只是上传了一个捆绑包图片来测试这个。在我的 viewController:

 if([app.fb_token length] > 0){
        app.credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyFacebook): app.fb_token };
    }
    AWSS3TransferManager *transferManager = [AWSS3TransferManager defaultS3TransferManager];
    UIImage *image = [UIImage imageNamed:@"yayDot"];
    NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,
                                                         NSUserDomainMask, YES);
    NSString *documentsDirectory = [paths objectAtIndex:0];
    NSString* path = [documentsDirectory stringByAppendingPathComponent:
                      @"yayDot.png" ];
    NSData* data = UIImagePNGRepresentation(image);
    [data writeToFile:path atomically:YES];

    AWSS3TransferManagerUploadRequest *uploadRequest = [AWSS3TransferManagerUploadRequest new];
    uploadRequest.body = [NSURL URLWithString:path];
    uploadRequest.key = @"yayDot.png";
    uploadRequest.bucket = thebucket;
    [AWSLogger defaultLogger].logLevel = AWSLogLevelVerbose;

    [[transferManager upload:uploadRequest] continueWithBlock:^id(BFTask *task) {
        // Do something with the response
        NSLog(@"result: %@", task.result);

        return nil;
    }];

完整错误:

AWSURLResponseSerialization.m line:258 | -[AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response header: [{
    "Content-Length" = 299;
    "Content-Type" = "text/xml";
    Date = "Tue, 27 Jan 2015 18:54:17 GMT";
    "x-amzn-RequestId" = "xxxxx";
}]
2015-01-27 10:54:18.052  AWSiOSSDKv2 [Verbose] AWSURLResponseSerialization.m line:263 | -[AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body: [<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>AccessDenied</Code>
    <Message>Not authorized to perform sts:AssumeRoleWithWebIdentity</Message>
  </Error>
  <RequestId>xxxxx</RequestId>
</ErrorResponse>
]
2015-01-27 10:54:18.059 lookyloo[20024:332664] AWSiOSSDKv2 [Error] AWSCredentialsProvider.m line:587 | __40-[AWSCognitoCredentialsProvider refresh]_block_invoke356 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSSTSErrorDomain Code=0 "The operation couldn’t be completed. (com.amazonaws.AWSSTSErrorDomain error 0.)" UserInfo=0x7d936310 {Type=Sender, Message=Not authorized to perform sts:AssumeRoleWithWebIdentity, __text=(
    "\n    ",
    "\n    ",
    "\n    ",
    "\n  "
), Code=AccessDenied}]

查看您的代码,您似乎在使用 "Auth" 角色 arn:aws:iam::[id num]:role/Cognito_Auth_DefaultRole 作为您的 unauth 角色。默认情况下,Amazon Cognito 创建的角色仅信任特定类型的访问(未经身份验证和经过身份验证),因此在尝试未经身份验证的访问时会出现 sts 错误。 This blog post 回顾信任策略并了解 Cognito 如何使用它们。

切换到简化的构造函数应该已经为您解决了这个问题,除非您也在 AWS 控制台内进行了相同的关联。在控制台中关联您的角色允许您不将您的角色嵌入到您的应用程序中。

此外,如果您想在 "US Standard" 区域之外使用存储桶,则需要更改此行:

AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionSAEast1
                                                                  credentialsProvider:credentialsProvider];

反映存储桶所在的区域。