Amazon web services AWS Lambda使用调用方标识
在移动应用程序中,我希望lambda函数只能访问DynamoDB中的行,其中键是调用lambda的用户标识。 我已经制定了以下政策,但我一直Amazon web services AWS Lambda使用调用方标识,amazon-web-services,aws-lambda,amazon-dynamodb,Amazon Web Services,Aws Lambda,Amazon Dynamodb,在移动应用程序中,我希望lambda函数只能访问DynamoDB中的行,其中键是调用lambda的用户标识。 我已经制定了以下政策,但我一直 User: arn:aws:sts::XXX:assumed-role/FederatedIdentityRole/CognitoIdentityCredentials is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:XXX:tab
User: arn:aws:sts::XXX:assumed-role/FederatedIdentityRole/CognitoIdentityCredentials is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:XXX:table/UserData
欢迎任何提示。
谢谢
以下是Lambda的政策:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXX:table/UserData"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": "${cognito-identity.amazonaws.com:sub}"
}
}
}
我刚刚发现,
${cognito identity.amazonaws.com:sub}
实际上并不是指从cognito用户池中获得的身份验证令牌中的sub
字段,而是指从该用户的identityPool
中获得的IdentityId
你的问题是关于“cognitoidentity.amazonaws.com:sub”的使用。好吧,我刚刚发现${cognito identity.amazonaws.com:sub}实际上并不是指从cognito用户池获得的身份验证令牌中的'sub'字段,而是指从该用户的identityPool中获得的IdentityId!!