Fatal编程技术网
  • csharp/
  • C# AmazonCongnitoIdentityProviderException:用户无权对资源执行cognito idp:DescribeUserPool

C# AmazonCongnitoIdentityProviderException:用户无权对资源执行cognito idp:DescribeUserPool

c# amazon-web-services asp.net-core

C# AmazonCongnitoIdentityProviderException:用户无权对资源执行cognito idp:DescribeUserPool,c#,amazon-web-services,asp.net-core,C#,Amazon Web Services,Asp.net Core,我正在学习将AWS与ASP.NET核心站点集成。我使用AWS Cognito作为用户存储。我创建了一个注册表单,它实际上充当了AWS Cognito的接口。到目前为止,我已经完成了以下步骤: 在AWS Cognito中创建了一个用户池 在IAM服务中创建了一个用户。已将现有策略“AmazonCongnitodeveloperAuthenticatedIdentifications”附加到此用户 在Windows中的用户配置文件目录中创建了凭据文件。在此文件中设置aws\u访问密钥\u id和

我正在学习将AWS与ASP.NET核心站点集成。我使用AWS Cognito作为用户存储。我创建了一个注册表单,它实际上充当了AWS Cognito的接口。到目前为止,我已经完成了以下步骤:

  • 在AWS Cognito中创建了一个用户池

  • 在IAM服务中创建了一个用户。已将现有策略“AmazonCongnitodeveloperAuthenticatedIdentifications”附加到此用户

  • 在Windows中的用户配置文件目录中创建了凭据文件。在此文件中设置aws\u访问密钥\u id和aws\u机密密钥\u访问密钥

  • 在appsettings.json文件中,创建了一个AWS部分,并按如下所示设置密钥(我已隐藏了用户池客户端机密):

  • 我已经导入了Amazon.AspNetCore.Identity.Cognito和Amazon.Extensions.Cognito包。使用这些包,我将CognitoUser作为T参数传递给ASP.NET核心标识类的SignInManager和UserManager。下面是控制器的全部代码

    public class Accounts : Controller
{
    SignInManager<CognitoUser> _signInManager;
    UserManager<CognitoUser> _userManager;
    CognitoUserPool _pool;

    public Accounts(SignInManager<CognitoUser> signInManager, UserManager<CognitoUser> 
      userManager, CognitoUserPool pool)
    {
        _signInManager = signInManager;
        _userManager = userManager;
        _pool = pool;
    }


    [HttpPost]
    public async Task<IActionResult> SignUp(SignupModel model)
    {
        if (ModelState.IsValid)
        {
            var user = _pool.GetUser(model.Email);
            if (user.Status != null)
            {
                ModelState.AddModelError("UserExists", "User with this email already exists");
                return View(model);
            }

            user.Attributes.Add(CognitoAttribute.Name.AttributeName, model.Email);
            var createdUser = await _userManager.CreateAsync(user, model.Password);
            if (createdUser.Succeeded)
            {
                RedirectToAction("Confirm");
            }
        }
        return View();
    }
}
    我知道这与IAM的政策有关,但我无法确定我缺少的确切设置。有人可以帮忙吗?

    您的用户不是管理员添加到IAM uesrs权限管理员访问您的用户不是管理员添加到IAM uesrs权限管理员访问转到IAM用户,选择用户,单击“添加内联策略”,查找服务“Cognito用户池”,搜索操作“DescribeUserPool”,添加用户池arn,创建策略

    转到IAM用户,选择用户,单击“添加内联策略”,查找服务“Cognito用户池”,搜索操作“DescribeUserPool”,添加用户池arn,创建策略

    public class Accounts : Controller
{
    SignInManager<CognitoUser> _signInManager;
    UserManager<CognitoUser> _userManager;
    CognitoUserPool _pool;

    public Accounts(SignInManager<CognitoUser> signInManager, UserManager<CognitoUser> 
      userManager, CognitoUserPool pool)
    {
        _signInManager = signInManager;
        _userManager = userManager;
        _pool = pool;
    }


    [HttpPost]
    public async Task<IActionResult> SignUp(SignupModel model)
    {
        if (ModelState.IsValid)
        {
            var user = _pool.GetUser(model.Email);
            if (user.Status != null)
            {
                ModelState.AddModelError("UserExists", "User with this email already exists");
                return View(model);
            }

            user.Attributes.Add(CognitoAttribute.Name.AttributeName, model.Email);
            var createdUser = await _userManager.CreateAsync(user, model.Password);
            if (createdUser.Succeeded)
            {
                RedirectToAction("Confirm");
            }
        }
        return View();
    }
}

    AmazonCognitoIdentityProviderException: User: arn:aws:iam::777844316068:user/xxxx is not authorized to perform: cognito-idp:DescribeUserPool on resource: arn:aws:cognito-idp:us-east-2:777844316068:userpool/us-east-2_115WHTcaH