阅读背景:

使用AWS Cognito开发者身份从我的ios应用程序获得对DynamoDB的完全访问权限

来源:互联网 

I have implemented a AWS Lambda function and used the gateway to return the fulling data:

我已经实现了AWS Lambda函数并使用网关返回了填充数据:

var param =
{
    IdentityPoolId: "actualIdentityPoolId",
    Logins: {} // To have provider name in a variable
};
param.Logins["com.testing.userLogin"] = userId;

cognitoidentity.getOpenIdTokenForDeveloperIdentity(param,
function(err, data)
{
    if (err) return fn(err); // an error occurred
    else fn(null, data.IdentityId, data.Token); // successful response
});

So the identityId and token get sent back to the ios device. In my device I try to connect to an AWS DynamoDB table but access is denied. How do I use the identityId and token to gain access to the tables?

所以identityId和token被发送回ios设备。在我的设备中,我尝试连接到AWS DynamoDB表但访问被拒绝。如何使用identityId和token来获取对表的访问权限?

I have set up roles in IAM for Unauth which denies Dydnamo and Auth which gives access to the tables through its policies.

我在IAM中为Unauth设置了角色,它拒绝了Dydnamo和Auth通过其策略访问表。

I am trying to implement authentication using: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html

我正在尝试使用以下方法实现身份验证:http://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html

I see there are two flows which are Basic and Enhanced. The documentation says most users will use the enhanced flow and that implements GetCredentialForIdentity.

我看到有两个流程是Basic和Enhanced。文档说大多数用户将使用增强的流程并实现GetCredentialForIdentity。

How is that implemented in my ios code so that I can switch my role from unauth to auth and can access to dynamodb? How long will this access last? I would like to do this all in my ios code instead of using lambda or something else like that.

如何在我的ios代码中实现,以便我可以将我的角色从unauth切换到auth并可以访问dynamodb?这种访问会持续多久?我想在我的ios代码中完成所有操作,而不是使用lambda或其他类似的东西。

2 个解决方案

#1


3  

If your user is unauthenticated, then logs in you need to clear your credentials, and your 'logins' method should now return a properly updated logins map.

如果您的用户未经身份验证,那么登录您需要清除凭据,并且“登录”方法现在应该返回正确更新的登录映射。

Here is the documentation to help you: https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html

以下文档可以为您提供帮助:http://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html

#2


2  

Double check your DynanoDB Roles for authenticated access your DynamoDB resource. An example role for this are on the following page of the developer guide you referenced. The page is called "IAM Roles" and the last section is the important one: "Fine-Grained Access to Amazon DynamoDB".

仔细检查您的DynanoDB角色,以获得对DynamoDB资源的身份验证访问。此示例角色位于您引用的开发人员指南的后续页面上。该页面称为“IAM角色”,最后一部分是重要的部分:“对Amazon DynamoDB的细粒度访问”。

Stick with your plan to use the Enhanced Authflow. It is recommended and makes less calls to authenticate (your users will appreciate this). Just make sure you mobile clients call GetCredentialsForIdentity from iOS.

坚持使用增强型Authflow的计划。建议使用较少的电话进行身份验证(您的用户会很感激)。只需确保您的移动客户端从iOS调用GetCredentialsForIdentity。

From the Enhanced Authflow documentation further down your page:

从增强的Authflow文档进一步向下页面:

The GetCredentialsForIdentity API can be called after you establish an identity ID. This API is functionally equivalent to calling GetOpenIdToken followed by AssumeRoleWithWebIdentity.

建立身份标识后,可以调用GetCredentialsForIdentity API。此API在功能上等同于调用GetOpenIdToken,后跟AssumeRoleWithWebIdentity。

The AssumeRoleWithWebIdentity is the important piece that allows your user to assume the Role that gets access to the DynamoDB resource. Cognito will take care of the rest as long as you set up the Roles correctly within the Cognito console:

AssumeRoleWithWebIdentity是允许您的用户承担访问DynamoDB资源的角色的重要部分。只要您在Cognito控制台中正确设置角色,Cognito就会处理剩下的事情:

In order for Amazon Cognito to call AssumeRoleWithWebIdentity on your behalf, your identity pool must have IAM roles associated with it. You can do this via the Amazon Cognito Console or manually via the SetIdentityPoolRoles operation (see the API reference)

为了让Amazon Cognito代表您调用AssumeRoleWithWebIdentity,您的标识池必须具有与之关联的IAM角色。您可以通过Amazon Cognito Console或通过SetIdentityPoolRoles操作手动执行此操作(请参阅API参考)


分享到: