C# 从Cognito group担任IAM角色
是否可以假设IAM角色C# 从Cognito group担任IAM角色,c#,amazon-web-services,amazon-cognito,amazon-iam,C#,Amazon Web Services,Amazon Cognito,Amazon Iam,是否可以假设IAM角色IAM-role1链接到Cognito用户池Cognito-user-pool1中Cognito用户Cognito-user1的Cognito组Cognito-group1 我的配置: Cognito用户池Cognito-User-pool1: CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEa
IAM-role1
链接到Cognito用户池Cognito-user-pool1
中Cognito用户Cognito-user1
的Cognito组Cognito-group1
我的配置:
Cognito用户池Cognito-User-pool1
:
CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1);
using (var client = new AmazonS3Client(credentials))
...
- Cognito用户
属于Cognito-user1
Cognito-group1
- Cognito组
已分配给Cognito-group1
iam-role1
Cognito-Identity-pool1
:
CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1);
using (var client = new AmazonS3Client(credentials))
...
- 身份验证提供者:
cognito-user-pool1
- 已验证的角色=
iam-role1
- IAM角色
具有只读访问S3的策略IAM-role1
AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient();
CognitoUserPool userPool = new CognitoUserPool("user-pool-id", "client-id", provider);
CognitoUser user = new CognitoUser("cognito-user1", "client-id", userPool, provider);
InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest()
{
Password = "cognito-password1"
};
AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(authRequest);
然后从链接到cognito用户池的cognito标识池cognito-identity-pool1
中获取凭据:
CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1);
using (var client = new AmazonS3Client(credentials))
...
当使用Cognito用户池对用户进行身份验证时,id令牌包括Cognito组和iam角色:
"cognito:groups": [
"cognito-group1"
],
"cognito:roles": [
"arn:aws:iam::xxx:role/iam-role1"
],
我们需要配置Cognito标识池,以便在对用户进行身份验证时从令牌中选择角色:
我们还需要允许Cognito标识池通过编辑IAM角色中的信任关系来承担此角色IAM-role1
:
{
"Version": "2012-10-17",
"Statement": [
...
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
}