C# 无法使用Facebook AssumeRoleWithWebIdentity凭据访问AWS
短版 作为Facebook用户登录,我使用我的oAuth令牌来假设。它返回看起来有效的凭据,例如,有一个AccessKeyId和SecretAccessKey,其长度与我们的主密钥相似C# 无法使用Facebook AssumeRoleWithWebIdentity凭据访问AWS,c#,oauth,amazon-web-services,amazon-dynamodb,C#,Oauth,Amazon Web Services,Amazon Dynamodb,短版 作为Facebook用户登录,我使用我的oAuth令牌来假设。它返回看起来有效的凭据,例如,有一个AccessKeyId和SecretAccessKey,其长度与我们的主密钥相似 using (var tokenServiceClient = new AmazonSecurityTokenServiceClient(RegionEndpoint.USEast1)) { var request = new AssumeRoleWithWebIdentityRequest {
using (var tokenServiceClient = new AmazonSecurityTokenServiceClient(RegionEndpoint.USEast1))
{
var request = new AssumeRoleWithWebIdentityRequest
{
DurationSeconds = (int)TimeSpan.FromHours(1).TotalSeconds,
ProviderId = "graph.facebook.com",
RoleArn = "arn:aws:iam::193557284355:role/Facebook-OAuth",
RoleSessionName = result.id,
WebIdentityToken = FBClient.AccessToken
};
var response = tokenServiceClient.AssumeRoleWithWebIdentity(request);
AWSAssumedRoleUser = response.AssumeRoleWithWebIdentityResult.AssumedRoleUser;
AWSCredentials = response.AssumeRoleWithWebIdentityResult.Credentials;
}
当我尝试使用这些凭据访问DynamoDB表时,会出现以下两种异常之一:
“远程服务器返回错误:(400)请求错误。”
;或“请求中包含的安全令牌无效。”
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Sid": "Stmt1372350145000",
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
我如何获得凭据:
AmazonSecurityTokenServiceClient.AssumeRoleWithWebIdentity
using (var tokenServiceClient = new AmazonSecurityTokenServiceClient(RegionEndpoint.USEast1))
{
var request = new AssumeRoleWithWebIdentityRequest
{
DurationSeconds = (int)TimeSpan.FromHours(1).TotalSeconds,
ProviderId = "graph.facebook.com",
RoleArn = "arn:aws:iam::193557284355:role/Facebook-OAuth",
RoleSessionName = result.id,
WebIdentityToken = FBClient.AccessToken
};
var response = tokenServiceClient.AssumeRoleWithWebIdentity(request);
AWSAssumedRoleUser = response.AssumeRoleWithWebIdentityResult.AssumedRoleUser;
AWSCredentials = response.AssumeRoleWithWebIdentityResult.Credentials;
}
using (var client = new AmazonDynamoDBClient(AWSCredentials.AccessKeyId, AWSCredentials.SecretAccessKey, AWSCredentials.SessionToken, RegionEndpoint.USEast1))
{
var context = new DynamoDBContext(client);
var data = context.Scan<SomeData>();
}
当尝试扫描表时,返回“请求中包含的安全令牌无效。”
问题
在这一点上,我无法判断是什么问题,是凭据无效还是我没有将所有需要的信息传递给AWS
有人能告诉我哪里出了问题,或者我如何进一步调试这个问题吗?我在AWS论坛上交叉发布了我的问题,并收到了亚马逊工程师的答复
DynamoDBContext
对象调用目标表上的descripbetable
(并缓存此数据,因此为了获得最佳性能,您希望尽可能长时间地保留上下文对象,因此此调用仅对每个目标表执行一次)。按如下方式修改您的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem",
"dynamodb:DescribeTable"
],
"Sid": "Stmt1372350145000",
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}