请求中包含的安全令牌无效。 AWS 开发工具包
The security token included in the request is invalid. aws js sdk
我正在使用带有以下代码的 aws-js-sdk v2.2.3。我使用填充的凭据取回数据。当我尝试使用凭据时,我收到它们无效的错误消息。我正在使用开发人员身份验证流程。我同时拥有 Auth 和 UnAuth 这两个角色。我的身份池看起来是正确的。信任关系看起来像是指向正确的身份池 ID。 S3 和 DynamoDB 的 Auth 角色附加了一些策略。我不知所措。任何帮助,将不胜感激。
javascript 客户端:
var cognitoidentity = new AWS.CognitoIdentity({region: 'us-east-1'});
var params = {
IdentityId: user.cognito_id,
Logins: {
'cognito-identity.amazonaws.com': user.cognito_token
}
};
cognitoidentity.getCredentialsForIdentity(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data.Credentials);
});
我console.log Id & SecretKey 都填好了。
var aws_creds = StateService.get('user').aws_creds;
console.log(aws_creds.AccessKeyId);
console.log(aws_creds.SecretKey);
AWS.config.update({ accessKeyId: aws_creds.AccessKeyId,
secretAccessKey: aws_creds.SecretKey,
endpoint: ENV.aws_dyndb_endpoint,
region: 'us-east-1'
});
var dynamodb = new AWS.DynamoDB();
console.log("user obj: ", StateService.get('user'));
var params = {
TableName: games_table_name,
KeyConditionExpression: "Id = :v1",
ExpressionAttributeValues: {
":v1": {"N": id}
}
};
return dynamodb.query(params);
我的解决方案
例如,我想到的是显式刷新凭据,而不是在创建 DynamoDb 对象时懒惰地获取它们。这是我使用的函数,它 returns 承诺并在刷新凭据时解析。
refresh: function() {
var deferred = $q.defer();
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: COGNITO_IDENTITY_POOL_ID,
IdentityId: COGNITO_ID,
Logins: 'cognito-identity.amazonaws.com'
});
AWS.config.credentials.refresh(function(error) {
if ((error === undefined) || (error === null)) {
$log.debug("Credentials Refreshed Success: ", AWS.config.credentials);
var params = {
region: 'us-east-1',
apiVersion: '2012-08-10',
credentials: AWS.config.credentials
};
$rootScope.dynamodb = new AWS.DynamoDB({params: params});
deferred.resolve();
}
else {
$log.debug("Error refreshing AWS Creds:, ", error);
deferred.reject(error);
}
});
return deferred.promise;
}
如果您想使用 Cognito 凭证调用其他 AWS 服务,我建议您使用 Javascript SDK 中的高级 AWS.CognitoIdentityCredentials 对象,而不是调用服务 API 直接地。
您可以在 Cognito 开发人员指南中找到有关如何初始化和使用 AWS.CognitoIdentityCredentials 的更多信息:
Developer Authenticated Identities
阿尔伯特
流程是这样的:您向 CognitoIdentityCredentials 询问 IdentityId,IDentityId 应该跨设备和身份提供商(例如(Facebook,Google, Twitter 等),然后您使用该 ID 请求附加到您的杆 CognitoIdentity 的角色,在您获得令牌后,您向 STS.assumeRoleWithWebIdentity 请求临时凭据,并附加到您的适当角色杆.
这是我如何做到的示例:
// set the Amazon Cognito region
AWS.config.region = 'us-east-1';
// initialize the Credentials object with our parameters
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:YMIDENTITYPOLEID',
});
// We can set the get method of the Credentials object to retrieve
// the unique identifier for the end user (identityId) once the provider
// has refreshed itself
AWS.config.credentials.get(function(err) {
if (err) {
console.log("Error: "+err);
return;
}
console.log("Cognito Identity Id: " + AWS.config.credentials.identityId);
params = {
IdentityId: AWS.config.credentials.identityId
}
// Other service clients will automatically use the Cognito Credentials provider
// configured in the JavaScript SDK.
// Get the Role associated with the id coming from the pool
var cognitoidentity = new AWS.CognitoIdentity();
cognitoidentity.getOpenIdToken(params, function(err, data) {
if (err){
console.log(err, err.stack); // an error occurred
}else{
// Get temporoarly credientials form STS to access the API
var params = {
RoleArn: 'ROLE_OF_YOUR_POLE_ARN', /* required */
RoleSessionName: 'WHATEVERNAME', /* required */
WebIdentityToken: data.Token, /* required */
};
var sts = new AWS.STS()
console.log(data); // successful response
console.log(data.Token)
sts.assumeRoleWithWebIdentity(params, function(err, data) {
if (err){
console.log(err, err.stack); // an error occurred
}else{
console.log(data); // successful response
// Now we need these credentials that we got for this app and for this user
// From here we can limit the damage by
// Burst calling to the API Gateway will be limited since we now that this is a single user on a single device
// If suspicious activities we can drop this user/device
// The privileges are limited since the role attached to this is only the API GateWay calling
// This creds are temporary they will expire in 1h
var apigClient = apigClientFactory.newClient({
accessKey: data.Credentials.AccessKeyId,
secretKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.Token, //OPTIONAL: If you are using temporary credentials you must include the session token
region: AWS.config.region // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
});
// Call the get to test
apigClient.deviceGet({}, {})
.then(function(result){
//This is where you would put a success callback
console.log(result)
}).catch( function(result){
//This is where you would put an error callback
});
}
});
}
});
});
注意:这是访问 API 网关服务的测试,但访问其他服务并没有什么不同,这取决于您配置它的杆及其附加服务。
如果您拥有在 IAM 中创建的用户的凭据,则不需要临时令牌,但如果您使用此流程,则必须包含它。
还有一点,限制对你杆上服务的访问,记住这是一个公开给定的密钥,每个人都可以用它来访问你的东西。
使用STS.assumeRoleWithWebIdentity是因为我们在web上,在AWS JS SDK中,如果你使用iOS或者android/java或者boto,你必须使用STS.assumeRole.
希望对您有所帮助。
我正在使用带有以下代码的 aws-js-sdk v2.2.3。我使用填充的凭据取回数据。当我尝试使用凭据时,我收到它们无效的错误消息。我正在使用开发人员身份验证流程。我同时拥有 Auth 和 UnAuth 这两个角色。我的身份池看起来是正确的。信任关系看起来像是指向正确的身份池 ID。 S3 和 DynamoDB 的 Auth 角色附加了一些策略。我不知所措。任何帮助,将不胜感激。
javascript 客户端:
var cognitoidentity = new AWS.CognitoIdentity({region: 'us-east-1'});
var params = {
IdentityId: user.cognito_id,
Logins: {
'cognito-identity.amazonaws.com': user.cognito_token
}
};
cognitoidentity.getCredentialsForIdentity(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data.Credentials);
});
我console.log Id & SecretKey 都填好了。
var aws_creds = StateService.get('user').aws_creds;
console.log(aws_creds.AccessKeyId);
console.log(aws_creds.SecretKey);
AWS.config.update({ accessKeyId: aws_creds.AccessKeyId,
secretAccessKey: aws_creds.SecretKey,
endpoint: ENV.aws_dyndb_endpoint,
region: 'us-east-1'
});
var dynamodb = new AWS.DynamoDB();
console.log("user obj: ", StateService.get('user'));
var params = {
TableName: games_table_name,
KeyConditionExpression: "Id = :v1",
ExpressionAttributeValues: {
":v1": {"N": id}
}
};
return dynamodb.query(params);
我的解决方案
例如,我想到的是显式刷新凭据,而不是在创建 DynamoDb 对象时懒惰地获取它们。这是我使用的函数,它 returns 承诺并在刷新凭据时解析。
refresh: function() {
var deferred = $q.defer();
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: COGNITO_IDENTITY_POOL_ID,
IdentityId: COGNITO_ID,
Logins: 'cognito-identity.amazonaws.com'
});
AWS.config.credentials.refresh(function(error) {
if ((error === undefined) || (error === null)) {
$log.debug("Credentials Refreshed Success: ", AWS.config.credentials);
var params = {
region: 'us-east-1',
apiVersion: '2012-08-10',
credentials: AWS.config.credentials
};
$rootScope.dynamodb = new AWS.DynamoDB({params: params});
deferred.resolve();
}
else {
$log.debug("Error refreshing AWS Creds:, ", error);
deferred.reject(error);
}
});
return deferred.promise;
}
如果您想使用 Cognito 凭证调用其他 AWS 服务,我建议您使用 Javascript SDK 中的高级 AWS.CognitoIdentityCredentials 对象,而不是调用服务 API 直接地。
您可以在 Cognito 开发人员指南中找到有关如何初始化和使用 AWS.CognitoIdentityCredentials 的更多信息:
Developer Authenticated Identities
阿尔伯特
流程是这样的:您向 CognitoIdentityCredentials 询问 IdentityId,IDentityId 应该跨设备和身份提供商(例如(Facebook,Google, Twitter 等),然后您使用该 ID 请求附加到您的杆 CognitoIdentity 的角色,在您获得令牌后,您向 STS.assumeRoleWithWebIdentity 请求临时凭据,并附加到您的适当角色杆.
这是我如何做到的示例:
// set the Amazon Cognito region
AWS.config.region = 'us-east-1';
// initialize the Credentials object with our parameters
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:YMIDENTITYPOLEID',
});
// We can set the get method of the Credentials object to retrieve
// the unique identifier for the end user (identityId) once the provider
// has refreshed itself
AWS.config.credentials.get(function(err) {
if (err) {
console.log("Error: "+err);
return;
}
console.log("Cognito Identity Id: " + AWS.config.credentials.identityId);
params = {
IdentityId: AWS.config.credentials.identityId
}
// Other service clients will automatically use the Cognito Credentials provider
// configured in the JavaScript SDK.
// Get the Role associated with the id coming from the pool
var cognitoidentity = new AWS.CognitoIdentity();
cognitoidentity.getOpenIdToken(params, function(err, data) {
if (err){
console.log(err, err.stack); // an error occurred
}else{
// Get temporoarly credientials form STS to access the API
var params = {
RoleArn: 'ROLE_OF_YOUR_POLE_ARN', /* required */
RoleSessionName: 'WHATEVERNAME', /* required */
WebIdentityToken: data.Token, /* required */
};
var sts = new AWS.STS()
console.log(data); // successful response
console.log(data.Token)
sts.assumeRoleWithWebIdentity(params, function(err, data) {
if (err){
console.log(err, err.stack); // an error occurred
}else{
console.log(data); // successful response
// Now we need these credentials that we got for this app and for this user
// From here we can limit the damage by
// Burst calling to the API Gateway will be limited since we now that this is a single user on a single device
// If suspicious activities we can drop this user/device
// The privileges are limited since the role attached to this is only the API GateWay calling
// This creds are temporary they will expire in 1h
var apigClient = apigClientFactory.newClient({
accessKey: data.Credentials.AccessKeyId,
secretKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.Token, //OPTIONAL: If you are using temporary credentials you must include the session token
region: AWS.config.region // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
});
// Call the get to test
apigClient.deviceGet({}, {})
.then(function(result){
//This is where you would put a success callback
console.log(result)
}).catch( function(result){
//This is where you would put an error callback
});
}
});
}
});
});
注意:这是访问 API 网关服务的测试,但访问其他服务并没有什么不同,这取决于您配置它的杆及其附加服务。
如果您拥有在 IAM 中创建的用户的凭据,则不需要临时令牌,但如果您使用此流程,则必须包含它。
还有一点,限制对你杆上服务的访问,记住这是一个公开给定的密钥,每个人都可以用它来访问你的东西。
使用STS.assumeRoleWithWebIdentity是因为我们在web上,在AWS JS SDK中,如果你使用iOS或者android/java或者boto,你必须使用STS.assumeRole.
希望对您有所帮助。