1. 技术文章
  2. Getting “AccessDenied” while accessing S3 using Cognito Token

Getting “AccessDenied” while accessing S3 using Cognito Token

元气小坏坏 提交于 2019-12-12 22:13:37

问题


I am trying to use "listObjects" operation on a bucket. This is accessed thru a WebService and I don't want to give user Console Access.

Role Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*",
                "cognito-identity:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BucketName"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${cognito-identity.amazonaws.com:sub}/*"
                    ]
                }
            }
        }
    ]
}

Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "somevalue"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

If I replace "${cognito-identity.amazonaws.com:sub}" with actual value, then it works, otherwise it gives AccessDenied error. Seems like I am missing something very simple. Please help.

Error :

cfId:undefined
code:"AccessDenied"
extendedRequestId:undefined
message:"Access Denied"
region:null
requestId:null
retryDelay:14.650563118124381
retryable:false
statusCode:403
time:Sun May 14 2017 23:11:57 GMT+0530
name:"AccessDenied"
stack:"AccessDenied: Access Denied↵    at constructor.extractError (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:24:11663)↵    at constructor.callListeners (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:27756)↵    at constructor.emit (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:27465)↵    at constructor.emitEvent (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:15469)↵    at constructor.e (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:11925)↵    at a.runTo (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:24:27302)↵    at http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:24:27509↵    at constructor.<anonymous> (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:12135)↵    at constructor.<anonymous> (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:15524)↵    at constructor.callListeners (http://localhost:8081/aws-cognito/aws-sdk-2.3.5.min.js:23:27862)"
__proto__:Object

回答1:


As it turned out, it was a silly mistake from my side. Sub is always in the form : us-east-1:12345678-1234-1234-1234-123456790ab.

I was copying the SUB from Cognito-idp which was wrong. It is the wrong SUB.

The SUB is IdentityId that we get from Cognito Identity pool.

Thanks for looking.



来源:https://stackoverflow.com/questions/43899880/getting-accessdenied-while-accessing-s3-using-cognito-token

标签
amazon-s3
amazon-cognito
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!