Cognito 凭据无权执行执行 api
Cognito Credentials are not authorized to perform Execute api
我正在尝试使用 AWS Cognito 组创建基于角色的访问控制。我定义了以下角色和策略来拒绝对资源的访问
CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: "CognitoAuthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Deny"
Action: "*"
Resource: "*"
然后我创建了一个名为 admin incognito user pool 的组,并分配了一个具有策略的角色,让用户按如下方式调用 API
CognitoUserPoolGroupAdmin:
Type: AWS::Cognito::UserPoolGroup
Properties:
UserPoolId:
Ref: CognitoUserPool
GroupName: Admin
Precedence: 0
RoleArn:
Fn::GetAtt:
- AdminRole
- Arn
AdminRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: AdminRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: CognitoAdminPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "execute-api:Invoke"
Resource:
- arn:aws:execute-api:ap-south-1:****:***/*/GET/user
然后我创建了一个用户并添加到组管理员并获得了临时凭据,然后尝试调用 API 并在 postman
中出现以下 403 错误
"User:
arn:aws:sts::******:assumed-role/auth-service-dev-CognitoAuthRole-1JO2U7LKRJRBB/CognitoIdentityCredentials
is not authorized to perform: execute-api:Invoke on resource:
arn:aws:execute-api:ap-south-1:********2015:****/dev/GET/user with an
explicit deny"
这工作完美,但在删除并重新部署云形成堆栈后开始导致此错误。
根据评论,问题是 explicit deny。来自 docs:
If the code finds even one explicit deny that applies, the code
returns a final decision of Deny.
基本上,explicit deny 总是胜过任何 allow。
我正在尝试使用 AWS Cognito 组创建基于角色的访问控制。我定义了以下角色和策略来拒绝对资源的访问
CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: "CognitoAuthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Deny"
Action: "*"
Resource: "*"
然后我创建了一个名为 admin incognito user pool 的组,并分配了一个具有策略的角色,让用户按如下方式调用 API
CognitoUserPoolGroupAdmin:
Type: AWS::Cognito::UserPoolGroup
Properties:
UserPoolId:
Ref: CognitoUserPool
GroupName: Admin
Precedence: 0
RoleArn:
Fn::GetAtt:
- AdminRole
- Arn
AdminRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: AdminRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: CognitoAdminPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "execute-api:Invoke"
Resource:
- arn:aws:execute-api:ap-south-1:****:***/*/GET/user
然后我创建了一个用户并添加到组管理员并获得了临时凭据,然后尝试调用 API 并在 postman
中出现以下 403 错误"User: arn:aws:sts::******:assumed-role/auth-service-dev-CognitoAuthRole-1JO2U7LKRJRBB/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:ap-south-1:********2015:****/dev/GET/user with an explicit deny"
这工作完美,但在删除并重新部署云形成堆栈后开始导致此错误。
根据评论,问题是 explicit deny。来自 docs:
If the code finds even one explicit deny that applies, the code returns a final decision of Deny.
基本上,explicit deny 总是胜过任何 allow。