C# 从Cognito group担任IAM角色

是否可以假设IAM角色

IAM-role1

链接到Cognito用户池

Cognito-user-pool1

中Cognito用户

Cognito-user1

的Cognito组

Cognito-group1

我的配置：

Cognito用户池

Cognito-User-pool1

：

CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1); 
using (var client = new AmazonS3Client(credentials))
...

• Cognito用户

  Cognito-user1

  属于

  Cognito-group1

• Cognito组

  Cognito-group1

  已分配给

  iam-role1

Cognito标识池

Cognito-Identity-pool1

：

CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1); 
using (var client = new AmazonS3Client(credentials))
...

• 身份验证提供者：

  cognito-user-pool1

• 已验证的角色=

  iam-role1

IAM：

• IAM角色

  IAM-role1

  具有只读访问S3的策略

此代码允许我对Cognito用户池进行身份验证：

AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient();
            CognitoUserPool userPool = new CognitoUserPool("user-pool-id", "client-id", provider);
            CognitoUser user = new CognitoUser("cognito-user1", "client-id", userPool, provider);
            InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest()
            {
                Password = "cognito-password1"
            };

            AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(authRequest);

然后从链接到cognito用户池的cognito标识池

cognito-identity-pool1

中获取凭据：

CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1); 
using (var client = new AmazonS3Client(credentials))
...

---

当使用Cognito用户池对用户进行身份验证时，id令牌包括Cognito组和iam角色：

"cognito:groups": [
    "cognito-group1"
  ],
"cognito:roles": [
    "arn:aws:iam::xxx:role/iam-role1"
  ],

我们需要配置Cognito标识池，以便在对用户进行身份验证时从令牌中选择角色：

我们还需要允许Cognito标识池通过编辑IAM角色中的信任关系来承担此角色

IAM-role1

：

{
  "Version": "2012-10-17",
  "Statement": [
    ...
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity"
    }
  ]
}