Ios AWSApigateway客户端总是导致未经授权的

当使用amazon为AWSAPIGatewayClient生成的代码时，我总是得到

消息=未经授权

作为回应

这可能是什么原因

AppDelegate

AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1
                                                                                                identityPoolId:CognitoPoolId
                                                                                       identityProviderManager:pool];

AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:CognitoIdentityUserPoolRegion
                                                                            credentialsProvider:credentialsProvider];
AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = serviceConfiguration;

AWSCognitoIdentityUserPoolConfiguration *configuration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:CognitoIdentityUserPoolAppClientId
                                                                                                              clientSecret:CognitoIdentityUserPoolAppClientSecret
                                                                                                                    poolId:CognitoIdentityUserPoolId];
[AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration
                                                       userPoolConfiguration:configuration
                                                                      forKey:@"UserPool"];

AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1
                                                                            credentialsProvider:nil];
AWSCognitoIdentityUserPoolConfiguration *userPoolConfiguration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:@"YOUR_CLIENT_ID"
                                                                                                                      clientSecret:@"YOUR_CLIENT_SECRET"
                                                                                                                            poolId:@"YOUR_USER_POOL_ID"];
[AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration
                                                       userPoolConfiguration:userPoolConfiguration forKey:@"UserPool"];
AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
                                                      initWithRegionType:AWSRegionUSEast1
                                                      identityPoolId:@"YOUR_IDENTITY_POOL_ID"
                                                      identityProviderManager:pool];

视图控制器

[[[AWSPrjctRtClient defaultClient] suggestionsGet] continueWithBlock:^id _Nullable(AWSTask * _Nonnull task) {

        NSLog(@"%@", task.error);
        return nil;
}];

导致

2017-04-07 16:02:24.386 xxxx[38051:1025018] Error Domain=com.amazonaws.AWSAPIGatewayErrorDomain Code=1 "(null)" UserInfo={HTTPBody={
message = Unauthorized;

---

响应看起来像API网关资源配置为使用Cognito用户池进行授权，但您的代码实际上使用Cognito联合身份。反过来，联合身份要求API网关使用AWS_IAM授权人，使用IAM角色管理对资源的访问

我建议您执行以下步骤：

跟着。基本上，在Cognito Federated Identifications中，配置一个身份池以使用您的用户池作为其身份验证提供者之一。（您可能已经这样做了）

在方法请求/设置/授权下检查API网关资源的授权。将其设置为AWS_IAM。不要忘记重新部署新配置的API，并导出新的SDK

您的身份池将需要两个IAM角色，用于对AWS服务进行未经身份验证和身份验证的访问。您必须向您的角色添加一个策略，以指定对AWS服务的访问权限，在这种情况下，您需要授予

“execute api:Invoke”

对经过身份验证的角色的访问权限（可能仅限于此）。我建议为此使用策略生成器，并确保将策略的ARN设置为仅用于您要授予访问权限的资源，否则可能会访问所有API网关资源

至于iOS SDK端的配置，请确保使用指南中的代码（如下所示），您的代码似乎略有不同。我发现这个错误会导致一系列令人困惑的错误，这些错误会让你从各种错误的方向寻找解决方案

添加到AppDelegate

AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1
                                                                                                identityPoolId:CognitoPoolId
                                                                                       identityProviderManager:pool];

AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:CognitoIdentityUserPoolRegion
                                                                            credentialsProvider:credentialsProvider];
AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = serviceConfiguration;

AWSCognitoIdentityUserPoolConfiguration *configuration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:CognitoIdentityUserPoolAppClientId
                                                                                                              clientSecret:CognitoIdentityUserPoolAppClientSecret
                                                                                                                    poolId:CognitoIdentityUserPoolId];
[AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration
                                                       userPoolConfiguration:configuration
                                                                      forKey:@"UserPool"];

AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1
                                                                            credentialsProvider:nil];
AWSCognitoIdentityUserPoolConfiguration *userPoolConfiguration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:@"YOUR_CLIENT_ID"
                                                                                                                      clientSecret:@"YOUR_CLIENT_SECRET"
                                                                                                                            poolId:@"YOUR_USER_POOL_ID"];
[AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration
                                                       userPoolConfiguration:userPoolConfiguration forKey:@"UserPool"];
AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
                                                      initWithRegionType:AWSRegionUSEast1
                                                      identityPoolId:@"YOUR_IDENTITY_POOL_ID"
                                                      identityProviderManager:pool];

不过还有一个重要的补充！起初我发现这一点特别令人困惑，但在上面的代码中，您初始化了

AWSServiceConfiguration

，将

credentialsProvider

设置为

nil

，以便注册

AWSCognitoIdentityUserPool

。但是，您需要初始化一个新的

AWSServiceConfiguration

，该配置引用您的凭据提供程序，以分配给您的

AWSServiceManager.defaultServiceManager.defaultServiceConfiguration

。像这样：

AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:CognitoUserPoolRegion
                                                                                                  credentialsProvider:credentialsProvider];

上述步骤最终使我成功地将Cognito用户池与联邦身份集成，以允许访问API网关资源。这个过程涉及到一些关于哪些服务具体做什么的混淆，以及将来自不同指南的代码拼凑在一起。我希望这有帮助

---

请注意，您也可以不使用联合身份，而让API直接使用用户池进行授权。但我在这方面没有成功。此外，如果您愿意，联邦身份将允许您在以后添加其他授权人

您的身份池是否具有未经授权的访问权限？此外，您的API是否允许未经授权的访问？获取此代码的以下错误。Message=“用户：arn:aws:sts:：XXXX85095:假定角色/XXXXXX(未经授权)移动hub(XXXX039892/CognitoIdentityCredentials未被授权执行：执行api:Invoke on resource:arn:aws:execute api:ap-souther-1:*************5095:xxxxxxu7mj/Dev/POST/XXXXX，并带有明确的拒绝”@你找到解决办法了吗？