Ios cognito-禁止访问身份
我正在尝试理解AmazonCognito,并尝试在通过facebook登录后列出S3文件夹的内容。 FaceBook登录工作正常。当我点击test按钮(cmdTestS3Tapped)时,它抛出以下错误 我将amazon提供的示例中的AmazonClientManager.h、AmazonClientManager.m和Constants.h包含到项目中。 常数以belllow的形式给出。谁能帮我解决这个问题Ios cognito-禁止访问身份,ios,amazon-web-services,amazon-s3,amazon-cognito,amazon-mobile-analytics,Ios,Amazon Web Services,Amazon S3,Amazon Cognito,Amazon Mobile Analytics,我正在尝试理解AmazonCognito,并尝试在通过facebook登录后列出S3文件夹的内容。 FaceBook登录工作正常。当我点击test按钮(cmdTestS3Tapped)时,它抛出以下错误 我将amazon提供的示例中的AmazonClientManager.h、AmazonClientManager.m和Constants.h包含到项目中。 常数以belllow的形式给出。谁能帮我解决这个问题 #define AWSAccountID @"MyAccountID" #define
#define AWSAccountID @"MyAccountID"
#define CognitoPoolID @"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
#define CognitoRoleAuth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole"
#define CognitoRoleUnauth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole"
这是角色-Cognito_iOSTestPoolAuth_DefaultRole
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}]
}
这里是信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
这是我正在使用的代码
- (IBAction)cmdLoginWithFB:(id)sender {
[[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:YES];
[self disableUI];
[[AmazonClientManager sharedInstance] loginFromView:self.view withCompletionHandler:^(NSError *error) {
dispatch_async(dispatch_get_main_queue(), ^{
[self refreshUI];
});
}];
}
-(void)refreshUI {
[[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:NO];
//self.browseDataButton.enabled = YES;
self.cmdLoginWithFB.enabled = YES;
if ([[AmazonClientManager sharedInstance] isLoggedIn]) {
self.cmdLoginWithFB.titleLabel.text = @"Link";
NSLog(@"-----------LOGED IN -------------->");
}
else {
self.cmdLoginWithFB.titleLabel.text = @"Login";
NSLog(@"-----------NOT LOGED IN -------------->");
}
self.cmdLogoutWipe.enabled = [[AmazonClientManager sharedInstance] isLoggedIn];
}
- (IBAction)cmdTestS3Tapped:(id)sender {
if ([[AmazonClientManager sharedInstance] isLoggedIn]) {
NSLog(@"-----------LOGED IN -------------->");
[self testListBucket];
}
else {
NSLog(@"-----------NOT LOGED IN -------------->");
}
}
- (void)testListBucket {
AWSS3GetObjectRequest *getObjectRequest = [[AWSS3GetObjectRequest alloc] init];
getObjectRequest.key = @"image1.jpg";
getObjectRequest.bucket = @"multix-test";
NSLog(@"============================================>");
//default service has been configured previously
//AWSS3 *s3 = [[AWSS3 new] initWithConfiguration:[AWSServiceManager defaultServiceManager].defaultServiceConfiguration];
AWSS3 *s3 = [AWSS3 defaultS3];
[[s3 getObject:getObjectRequest] continueWithBlock:^id(BFTask *task) {
if(task.error)
{
NSLog(@"Error: %@",task.error);
}
else
{
NSLog(@"Got File");
NSData *data = [task.result body];
NSString *urlString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
NSURL *url = [[NSURL alloc] initWithString:urlString];
if ([[UIApplication sharedApplication] canOpenURL:url]) {
[[UIApplication sharedApplication] openURL:url];
}
}
return nil;
}];
NSLog(@"============================================>");
}
错误
我认为这种信任关系是不正确的。应该是
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
因为你的用户是通过Facebook认证的。您提供的信任关系适用于未经身份验证的用户
有关Cognito、角色和信任关系的更多详细信息,请参见Bob由三部分组成的博客
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
第1部分:
第2部分:
第3部分:错误“禁止访问标识”通常是由于未能将登录提供商(FB)的令牌包含在凭据提供商上而导致的 您没有包含处理FB登录的代码,但我会确保您在AWSCognitoCredentials提供程序上正确设置了令牌,并将该提供程序设置为默认设置
注意这一点仍然很重要,因为如果您使用的角色不正确,以后可能会遇到STS错误。谢谢Bob&Sebastien 问题是。我忘了在viewdidload中放入以下代码
[[AmazonClientManager sharedInstance] resumeSessionWithCompletionHandler:^(NSError *error) {
dispatch_async(dispatch_get_main_queue(), ^{
[self refreshUI];
});
}];
这是否意味着在每次AWS API调用之前,AWSCognitoCredentials logins属性应与identity browser中的链接登录名相匹配?@BaSha凭据提供程序至少每小时启动一次刷新流。