在 DynamoDB 中使用 Cognito ID 的 AccessDeniedException

Question

我正在尝试使用 Cognito 用户 ID 插入到我的 DynamoDB table，但我总是收到“AccessDeniedException”。我遵循文档并为其创建了 table 和策略，如下所示。这里缺少什么。请查看完整堆栈信息和请求 ID。

Table 将 UserId 作为 Hashkey，将 id 作为 rangekey

政策：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:1828211111:table/Table"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

保存数据的代码：

AWS.DynamoDBhelper.Credentials.AddLogin(Helpers.Constants.KEY_LAST_USED_PROVIDER,Helpers.Settings.LoginAccessToken );
                var identityId = await AWS.DynamoDBhelper.Credentials.GetIdentityIdAsync();

                var client = new Amazon.DynamoDBv2.AmazonDynamoDBClient(AWS.DynamoDBhelper.Credentials, Amazon.RegionEndpoint.USEast1);
                Amazon.DynamoDBv2.DataModel.DynamoDBContext context = new Amazon.DynamoDBv2.DataModel.DynamoDBContext(client);


                AWS.Table table= new AWS.Table();
                table.UserId = identityId;
                table.id = "1";
                await context.SaveAsync(table);

ex = {Amazon.DynamoDBv2.AmazonDynamoDBException: assumed-role/ _auth_MOBILEHUB/CognitoIdentityCredentials 无权执行：dynamodb:DescribeTable 资源：arn:aws:dynamodb:us-east-1

型号：

  [DynamoDBTable("Table")]
    public class Table 
    {
        [DynamoDBHashKey]

        public string UserId { get; set; }

        [DynamoDBRangeKey]

        public string id { get; set; }
    }

Answer 1

错误信息：

... is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-1 ...

将以下内容添加到策略中的操作：

dynamodb:DescribeTable

因此您的政策将如下所示

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:UpdateItem",
                "dynamodb:DescribeTable"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:1828211111:table/Table"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

在 DynamoDB 中使用 Cognito ID 的 AccessDeniedException

AccessDeniedException using Cognito ID in DynamoDB

amazon-web-services

amazon-dynamodb

amazon-cognito