Assume IAM role from Cognito group
是否可以假设 IAM 角色
我的配置:
Cognito 用户池
-
Cognito 用户
cognito-user1 属于cognito-group1 -
Cognito 组
cognito-group1 已分配给iam-role1 。
Cognito 身份池
-
身份验证提供程序:
cognito-user-pool1 -
认证角色 =
iam-role1
IAM:
-
IAM 角色
iam-role1 具有访问 S3 只读的策略
此代码允许我向 Cognito 用户池进行身份验证:
1 2 3 4 5 6 7 8 9 | AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient(); CognitoUserPool userPool = new CognitoUserPool("user-pool-id","client-id", provider); CognitoUser user = new CognitoUser("cognito-user1","client-id", userPool, provider); InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest() { Password ="cognito-password1" }; AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(authRequest); |
然后从连接到 cognito 用户池
1 2 3 | CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1); using (var client = new AmazonS3Client(credentials)) ... |
当用户通过 Cognito 用户池
1 2 3 4 5 6 | "cognito:groups": [ "cognito-group1" ], "cognito:roles": [ "arn:aws:iam::xxx:role/iam-role1" ], |
我们需要配置 Cognito 身份池以在用户通过身份验证时从令牌中选择角色:
1 2 3 4 5 6 7 8 9 10 11 12 13 | { "Version":"2012-10-17", "Statement": [ ... { "Effect":"Allow", "Principal": { "Federated":"cognito-identity.amazonaws.com" }, "Action":"sts:AssumeRoleWithWebIdentity" } ] } |
