问题
I have the following policy defined on a Cognito role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:ap-southeast-2: NUMBER:table/myapplication_product"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
As you can see, it should allow access to GetItem, UpdateItem and Scan, but I'm finding that only Scan works. An attempt to use GetItem results in:
https://dynamodb.ap-southeast-2.amazonaws.com/ 400 (Bad Request)
Error: User: arn:aws:sts:: NUMBER:assumed-role/Cognito_XXXXX_IDUnauth_Role/CognitoIdentityCredentials is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:ap-southeast-2:NUMBER:table/myapplication_product(…)
I have set up with:
AWS.config.region = 'ap-northeast-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'ap-northeast-1:SECRET_UUID',
});
AWS.config.apiVersions = {
dynamodb: '2012-08-10',
};
this.dynamodb = new AWS.DynamoDB({region: "ap-southeast-2"});
So why does one method work and not another?
EDIT
I thought I should also detail the actual queries being made.
This is the Scan, its basical;ly to display all products
Store.prototype.getAllProducts = function(callback) {
var params = {
TableName: 'myapplication_product',
};
this.dynamodb.scan(params, callback);
}
And this is the GetItem:
Store.prototype.getProduct = function (sku, callback) {
var params = {
TableName: 'stonesandpearls_product',
Key: {
sku: { S: sku }
},
};
this.dynamodb.getItem(params, callback);
}
If I just use:
AWS.config.update({accessKeyId: 'MY_SECRET_ID', secretAccessKey: 'MY_SECRET_ACCESS_KEY'});
rather than the CognitoIdentityCredentials, these queries work.
回答1:
Couple of things here.
Looking at your policy, looks like you are looking for identity level fine grained access. If you want that and you add Scan to your policy, it basically gives any identity access to your full table. You should only allow item level operations in the fine grained policy. IAM roles for fine grained access control explains this in more details.
dynamodb:LeadingKeys condition key will allows users to access only the items where the partition/hash key value matches their identity ID. The error you are getting indicates that either the identity id is not the hash key in your DynamoDB table or you are not setting the hash key value in your DynamoDB query when you issue a get or update item. This is the also the reason why Scan is working, because scan queries do not require a hash key value.
来源:https://stackoverflow.com/questions/34327179/iam-gives-access-to-one-dynamodb-method-but-not-another-using-javascript-to-aws