使用 serverless.yml 编辑 AWS Cognito 身份池
Edit AWS Cognito Identity Pool using serverless.yml
我正在使用无服务器框架配置 AWS Cognito 身份池,我正在编辑 yml 配置中的文件以添加未经身份验证的角色,以便用户将图像上传到 s3 存储桶。
之前部署代码时没有指定未经身份验证的角色,部署顺利且稳定。在我寻找一种方法来控制有关访问 S3 存储桶的权限后,我发现在 S3 存储桶上授予写入权限而不是读取权限的唯一方法是在用户策略中指定它,因此我必须添加身份池的未经身份验证的角色。但是,当我部署代码时,我收到一条错误消息:
Serverless Error ---------------------------------------
An error occurred: CognitoIdentityPoolRoles - Resource cannot be updated.
我已经设法解决了开发环境中的问题,但它需要完全删除堆栈并从头开始重建它。
我也不想在AWS控制台中手动调整资源,因为资源应该在cloudformation或控制台中管理,但两种方式都会导致混乱。
所以,目前,我看到的选项是删除整个堆栈并使用新角色重建它,或者想办法通过 cloudformation 进行更新。
有没有人有办法避免第一个选项并允许我更新堆栈而无需在控制台中附加角色?
serverless.yml 的相关部分如下...
Resources:
# The federated identity for our user pool to auth with
CognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
# Generate a name based on the stage
IdentityPoolName: ${self:custom.stage}MyIdentityPool
# Allow unathenticated users
AllowUnauthenticatedIdentities: true
# Link to our User Pool
CognitoIdentityProviders:
- ClientId:
Ref: CognitoUserPoolClient
ProviderName:
Fn::GetAtt: [ "CognitoUserPool", "ProviderName" ]
# IAM roles
CognitoIdentityPoolRoles:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPool
Roles:
authenticated:
Fn::GetAtt: [CognitoAuthRole, Arn]
# Next two lines are the 2 lines of code which break everything
unauthenticated:
Fn::GetAtt: [CognitoUnAuthRole, Arn]
# IAM role for UN-authenticated users
CognitoUnAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
Federated: 'cognito-identity.amazonaws.com'
Action:
- 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com:aud':
Ref: CognitoIdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com:amr': unauthenticated
Policies:
- PolicyName: 'CognitoUnAuthorizedPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action:
- 'mobileanalytics:PutEvents'
- 'cognito-sync:*'
- 'cognito-identity:*'
Resource: '*'
# Allow users to upload attachments to their
# folder inside our S3 bucket
- Effect: 'Allow'
Action:
- 's3:PutObject'
Resource:
- Fn::Join:
- ''
-
- Fn::GetAtt: [MediafilesBucket, Arn]
- '/submissions/'
已修复。
我注释掉了 serverless.yml 中与部署(销毁)身份池相关的部分,然后取消注释该部分,重新部署并从备份中恢复。
这似乎有点乱七八糟,但它奏效了。
我也觉得 应该 是一种通过 cloudformation 编辑身份池角色的方法...
我正在使用无服务器框架配置 AWS Cognito 身份池,我正在编辑 yml 配置中的文件以添加未经身份验证的角色,以便用户将图像上传到 s3 存储桶。
之前部署代码时没有指定未经身份验证的角色,部署顺利且稳定。在我寻找一种方法来控制有关访问 S3 存储桶的权限后,我发现在 S3 存储桶上授予写入权限而不是读取权限的唯一方法是在用户策略中指定它,因此我必须添加身份池的未经身份验证的角色。但是,当我部署代码时,我收到一条错误消息:
Serverless Error ---------------------------------------
An error occurred: CognitoIdentityPoolRoles - Resource cannot be updated.
我已经设法解决了开发环境中的问题,但它需要完全删除堆栈并从头开始重建它。
我也不想在AWS控制台中手动调整资源,因为资源应该在cloudformation或控制台中管理,但两种方式都会导致混乱。
所以,目前,我看到的选项是删除整个堆栈并使用新角色重建它,或者想办法通过 cloudformation 进行更新。
有没有人有办法避免第一个选项并允许我更新堆栈而无需在控制台中附加角色?
serverless.yml 的相关部分如下...
Resources:
# The federated identity for our user pool to auth with
CognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
# Generate a name based on the stage
IdentityPoolName: ${self:custom.stage}MyIdentityPool
# Allow unathenticated users
AllowUnauthenticatedIdentities: true
# Link to our User Pool
CognitoIdentityProviders:
- ClientId:
Ref: CognitoUserPoolClient
ProviderName:
Fn::GetAtt: [ "CognitoUserPool", "ProviderName" ]
# IAM roles
CognitoIdentityPoolRoles:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPool
Roles:
authenticated:
Fn::GetAtt: [CognitoAuthRole, Arn]
# Next two lines are the 2 lines of code which break everything
unauthenticated:
Fn::GetAtt: [CognitoUnAuthRole, Arn]
# IAM role for UN-authenticated users
CognitoUnAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
Federated: 'cognito-identity.amazonaws.com'
Action:
- 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com:aud':
Ref: CognitoIdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com:amr': unauthenticated
Policies:
- PolicyName: 'CognitoUnAuthorizedPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action:
- 'mobileanalytics:PutEvents'
- 'cognito-sync:*'
- 'cognito-identity:*'
Resource: '*'
# Allow users to upload attachments to their
# folder inside our S3 bucket
- Effect: 'Allow'
Action:
- 's3:PutObject'
Resource:
- Fn::Join:
- ''
-
- Fn::GetAtt: [MediafilesBucket, Arn]
- '/submissions/'
已修复。
我注释掉了 serverless.yml 中与部署(销毁)身份池相关的部分,然后取消注释该部分,重新部署并从备份中恢复。
这似乎有点乱七八糟,但它奏效了。
我也觉得 应该 是一种通过 cloudformation 编辑身份池角色的方法...