问题
For a registered user in AWS Cognito Userpools, is it possible to retrieve the policy documents attached to the user through IAM roles through JavaScript SDK?
The user case is to write a custom authorizer which authorize cognito id token and return the policy document with the IAM permission, user is capable of assuming through Cognito User Groups.
回答1:
After carrying out further research, following approach is used to retrieve 'inline policies' attached to the user through IAM roles.
From AWS Cognito JWT, extract role names from ARNs and using IAM SDK for JavaScript get the policy ARNs by using
const aws = require('aws-sdk'); let iam = new aws.IAM(); iam.listRolePolicies({ RoleName: roleName }, function (err, data) { let policyNames = data["PolicyNames"]; // Use policy names and role names to retrieve policy documents });Using policy names and role names in combination, retrieve the policy documents in JSON format
iam.getRolePolicy({ PolicyName: policyName, RoleName: roleName }, function (err, data) { let document = decodeURIComponent(data["PolicyDocument"]); });- Next iteratively extract the statements from each policy document and build a single one.
Example code could be found in this github repository.
来源:https://stackoverflow.com/questions/45070378/aws-cognito-userpools-javascript-sdk-get-users-policy-documents