AWS S3 Transfer Manager ${cognito-identity.amazonaws.com:sub} 策略变量访问被拒绝
AWS S3 Transfer Manager ${cognito-identity.amazonaws.com:sub} Policy Variable Access Denied
我正在尝试使用传输管理器从 AWS S3 将文件从特定于用户的文件夹下载到我的 iOS 移动应用程序,如下所示:
@IBAction func download() {
let transferManager = AWSS3TransferManager.default()!
let downloadingFileURL = URL(fileURLWithPath: NSTemporaryDirectory()).appendingPathComponent("disney1.jpg")
let downloadRequest = AWSS3TransferManagerDownloadRequest()!
downloadRequest.bucket = "sidestreamx"
// user's UUID/disney1
downloadRequest.key = "631d121f-b294-4318-b3cd-36b3b74ebdff/disney1"
downloadRequest.downloadingFileURL = downloadingFileURL
transferManager.download(downloadRequest).continue(with: AWSExecutor.mainThread(), with: {
(task: AWSTask<AnyObject>) -> Any? in
if let error = task.error as? NSError {
// handle error
return nil
}
self.imageView.image = UIImage(contentsOfFile: downloadingFileURL.path)
return nil
})
}
我的 IAM 角色权限策略如下,来自 this AWS doc:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetBucketListIfRequestIsForUser",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sidestreamx"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${cognito-identity.amazonaws.com:sub}/*"
]
}
}
},
{
"Sid": "S3GetObjects",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sidestreamx/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
我得到的响应是
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>E1F205B58EF4A670</RequestId>
<HostId>dUWI8PfVZL3mJmykjhXRqvFd1yt/CqDFNlwgwD3kmLk2vrMBP6JvVgezMYSROt3KyE3dx0+3eDE=</HostId>
</Error>
用户通过 AWS Cognito 用户池和 Cognito 联合身份验证。我已经调试并提取了 JWT 令牌,并看到 sub = "631d121f-b294-4318-b3cd-36b3b74ebdff"。我什至用 Charles 看到了 Request/Response。
如果我将最后一个语句S3GetObjects中的${cognito-identity.amazonaws.com:sub}替换为631d121f-b294-4318-b3cd-36b3b74ebdff得到arn:aws:s3:::sidestreamx/631d121f-b294-4318-b3cd-36b3b74ebdff/*,它确实有效。第一条语句可以继续使用策略变量并且它仍然有效。如果我完全删除第一个语句,它将起作用!当我将策略变量添加到它开始崩溃的最后一个语句时。
我已经检查过这个 Stack Overflow question and this one,但没有用。所以是的,我不知道。我已经为此工作了将近 9 个多小时,因此我们将不胜感激任何帮助。
问题已解决。事实证明,${cognito-identity.amazonaws.com:sub} 并没有真正引用 JWT 令牌中的 sub。它指的是来自 credentialsProvider 的 IdentityID:
(AWSServiceManager.default().defaultServiceConfiguration.credentialsProvider
as! AWSCognitoCredentialsProvider).getIdentityId()
.continue({task -> Any? in
print("Credentials ID is \(task.result!)")
return nil
})
我在我的存储桶中手动创建了一个名称等于 task.result! 的文件夹(格式为 us-east-1:XXXXXXXXXXXXXXXXXX fyi),并且它有效。
我正在尝试使用传输管理器从 AWS S3 将文件从特定于用户的文件夹下载到我的 iOS 移动应用程序,如下所示:
@IBAction func download() {
let transferManager = AWSS3TransferManager.default()!
let downloadingFileURL = URL(fileURLWithPath: NSTemporaryDirectory()).appendingPathComponent("disney1.jpg")
let downloadRequest = AWSS3TransferManagerDownloadRequest()!
downloadRequest.bucket = "sidestreamx"
// user's UUID/disney1
downloadRequest.key = "631d121f-b294-4318-b3cd-36b3b74ebdff/disney1"
downloadRequest.downloadingFileURL = downloadingFileURL
transferManager.download(downloadRequest).continue(with: AWSExecutor.mainThread(), with: {
(task: AWSTask<AnyObject>) -> Any? in
if let error = task.error as? NSError {
// handle error
return nil
}
self.imageView.image = UIImage(contentsOfFile: downloadingFileURL.path)
return nil
})
}
我的 IAM 角色权限策略如下,来自 this AWS doc:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetBucketListIfRequestIsForUser",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sidestreamx"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${cognito-identity.amazonaws.com:sub}/*"
]
}
}
},
{
"Sid": "S3GetObjects",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sidestreamx/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
我得到的响应是
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>E1F205B58EF4A670</RequestId>
<HostId>dUWI8PfVZL3mJmykjhXRqvFd1yt/CqDFNlwgwD3kmLk2vrMBP6JvVgezMYSROt3KyE3dx0+3eDE=</HostId>
</Error>
用户通过 AWS Cognito 用户池和 Cognito 联合身份验证。我已经调试并提取了 JWT 令牌,并看到 sub = "631d121f-b294-4318-b3cd-36b3b74ebdff"。我什至用 Charles 看到了 Request/Response。
如果我将最后一个语句S3GetObjects中的${cognito-identity.amazonaws.com:sub}替换为631d121f-b294-4318-b3cd-36b3b74ebdff得到arn:aws:s3:::sidestreamx/631d121f-b294-4318-b3cd-36b3b74ebdff/*,它确实有效。第一条语句可以继续使用策略变量并且它仍然有效。如果我完全删除第一个语句,它将起作用!当我将策略变量添加到它开始崩溃的最后一个语句时。
我已经检查过这个 Stack Overflow question and this one,但没有用。所以是的,我不知道。我已经为此工作了将近 9 个多小时,因此我们将不胜感激任何帮助。
问题已解决。事实证明,${cognito-identity.amazonaws.com:sub} 并没有真正引用 JWT 令牌中的 sub。它指的是来自 credentialsProvider 的 IdentityID:
(AWSServiceManager.default().defaultServiceConfiguration.credentialsProvider
as! AWSCognitoCredentialsProvider).getIdentityId()
.continue({task -> Any? in
print("Credentials ID is \(task.result!)")
return nil
})
我在我的存储桶中手动创建了一个名称等于 task.result! 的文件夹(格式为 us-east-1:XXXXXXXXXXXXXXXXXX fyi),并且它有效。