问题描述
我的用户有 Cognito 帐户.
My users have Cognito accounts.
根据 这篇文章我们可以使用这样的策略限制对 DynamoDB API 的访问:
According to this article we can restrict access to the DynamoDB API with policy like that:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb: <REGION>:<AWS_ACCOUNT_ID>:table/<TABLE>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
当索引键是email
(主排序键是utc
)时,我的情况看起来很简单,所以我将上面的示例调整为这个:
Looks pretty straightforward for my case when index key is email
(and primary sort key is utc
), so I adjusted example above to this one:
{
"Effect": "Allow",
"Action": "dynamodb:UpdateItem",
"Resource": "arn:aws:dynamodb:us-east-1:123456789123:table/history",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:email}"
],
"dynamodb:Attributes": [
"email",
"utc",
"updated",
"isNew"
]
}
}
但我不断收到错误 AccessDeniedException: User: arn:aws:sts::9876543210:assumed-role/policyname/CognitoIdentityCredentials is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:us-east-1:123456789123:table/history
.
我用 *
权限尝试了我的 js http 调用,它可以正常工作,所以只有这个策略才会陷入困境.
I tried my js http call with *
permissions and it works, so pitfall only with this policy.
推荐答案
${cognito-identity.amazonaws.com:email}
不是有效的策略变量.它没有解析到您用户的电子邮件地址.
${cognito-identity.amazonaws.com:email}
is not a valid policy variable. It's not resolving to your users' email addresses.
遗憾的是,像您一样的大多数开发人员会发现用户的电子邮件地址比使用 cognito-identity.amazonaws.com:sub
或 cognito-identity.amazonaws 更直观.com:aud
.
It is a shame as most developers, like yourself, would find the users email address more intuitive than using cognito-identity.amazonaws.com:sub
or cognito-identity.amazonaws.com:aud
.
这篇关于DynamoDB 细粒度访问控制:是否可以使用 ${cognito-identity.amazonaws.com:email}?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,WP2