问题
I've read a bunch of AWS documentation in the last day or two, but haven't yet come across anything that really answers the follow:
If a mobile app is using AWS Cognito as the Authentication / Identity provider, I know that we can write AWS IAM policies that specify what AWS resources and actions a user can take. There are a brief few examples of policies that allow users to upload files to S3 directly, but only into "folders" named with their user identity. There is plenty of mention of being able to use policies to control access to all sorts of AWS resources, including CloudSearch.
My primary question is: how are requests made from the mobile client to the AWS services such that they have the user context (token or w/e) necessary for those policies to work? It's possible that the AWS mobile SDKs help with this, but in that case, how are requests then made to resources that are not included in the AWS mobile SDKs (like CloudSearch)? CloudSearch querying exposes itself over a REST Api, so how would the mobile client provide the user context in that case, necessary for the policies to work?
回答1:
Requests to AWS APIs are are authenticated via credentials. For almost all services, this authentication occurs via signature version 4, which uses an HMAC of the payload of the request signed with the access secret key portion of the credential.
For credentials that are vended as part of the Amazon Cognito authflow, a sessionKey is also included that has contextual information about the user that logged in. When the policies associated with those credentials are evaluated, variables can be replaced with these contextual values (e.g. cognito-identity.amazonaws.com:sub for the identity id) to determine if the credentials have the specified access.
来源:https://stackoverflow.com/questions/28479138/how-can-one-make-authenticated-requests-with-aws-cognito-from-mobile-to-aws-serv