Ios AWSApigateway客户端总是导致未经授权的
当使用amazon为AWSAPIGatewayClient生成的代码时,我总是得到 消息=未经授权 作为回应 这可能是什么原因 AppDelegateIos AWSApigateway客户端总是导致未经授权的,ios,objective-c,amazon-web-services,aws-api-gateway,Ios,Objective C,Amazon Web Services,Aws Api Gateway,当使用amazon为AWSAPIGatewayClient生成的代码时,我总是得到 消息=未经授权 作为回应 这可能是什么原因 AppDelegate AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"]; AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCr
AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1
identityPoolId:CognitoPoolId
identityProviderManager:pool];
AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:CognitoIdentityUserPoolRegion
credentialsProvider:credentialsProvider];
AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = serviceConfiguration;
AWSCognitoIdentityUserPoolConfiguration *configuration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:CognitoIdentityUserPoolAppClientId
clientSecret:CognitoIdentityUserPoolAppClientSecret
poolId:CognitoIdentityUserPoolId];
[AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration
userPoolConfiguration:configuration
forKey:@"UserPool"];
AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1
credentialsProvider:nil];
AWSCognitoIdentityUserPoolConfiguration *userPoolConfiguration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:@"YOUR_CLIENT_ID"
clientSecret:@"YOUR_CLIENT_SECRET"
poolId:@"YOUR_USER_POOL_ID"];
[AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration
userPoolConfiguration:userPoolConfiguration forKey:@"UserPool"];
AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
initWithRegionType:AWSRegionUSEast1
identityPoolId:@"YOUR_IDENTITY_POOL_ID"
identityProviderManager:pool];
视图控制器
[[[AWSPrjctRtClient defaultClient] suggestionsGet] continueWithBlock:^id _Nullable(AWSTask * _Nonnull task) {
NSLog(@"%@", task.error);
return nil;
}];
导致
2017-04-07 16:02:24.386 xxxx[38051:1025018] Error Domain=com.amazonaws.AWSAPIGatewayErrorDomain Code=1 "(null)" UserInfo={HTTPBody={
message = Unauthorized;
响应看起来像API网关资源配置为使用Cognito用户池进行授权,但您的代码实际上使用Cognito联合身份。反过来,联合身份要求API网关使用AWS_IAM授权人,使用IAM角色管理对资源的访问 我建议您执行以下步骤:
“execute api:Invoke”
对经过身份验证的角色的访问权限(可能仅限于此)。我建议为此使用策略生成器,并确保将策略的ARN设置为仅用于您要授予访问权限的资源,否则可能会访问所有API网关资源AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1
identityPoolId:CognitoPoolId
identityProviderManager:pool];
AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:CognitoIdentityUserPoolRegion
credentialsProvider:credentialsProvider];
AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = serviceConfiguration;
AWSCognitoIdentityUserPoolConfiguration *configuration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:CognitoIdentityUserPoolAppClientId
clientSecret:CognitoIdentityUserPoolAppClientSecret
poolId:CognitoIdentityUserPoolId];
[AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration
userPoolConfiguration:configuration
forKey:@"UserPool"];
AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1
credentialsProvider:nil];
AWSCognitoIdentityUserPoolConfiguration *userPoolConfiguration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:@"YOUR_CLIENT_ID"
clientSecret:@"YOUR_CLIENT_SECRET"
poolId:@"YOUR_USER_POOL_ID"];
[AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration
userPoolConfiguration:userPoolConfiguration forKey:@"UserPool"];
AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
initWithRegionType:AWSRegionUSEast1
identityPoolId:@"YOUR_IDENTITY_POOL_ID"
identityProviderManager:pool];
不过还有一个重要的补充!起初我发现这一点特别令人困惑,但在上面的代码中,您初始化了AWSServiceConfiguration
,将credentialsProvider
设置为nil
,以便注册AWSCognitoIdentityUserPool
。但是,您需要初始化一个新的AWSServiceConfiguration
,该配置引用您的凭据提供程序,以分配给您的AWSServiceManager.defaultServiceManager.defaultServiceConfiguration
。像这样:
AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:CognitoUserPoolRegion
credentialsProvider:credentialsProvider];
上述步骤最终使我成功地将Cognito用户池与联邦身份集成,以允许访问API网关资源。这个过程涉及到一些关于哪些服务具体做什么的混淆,以及将来自不同指南的代码拼凑在一起。我希望这有帮助
请注意,您也可以不使用联合身份,而让API直接使用用户池进行授权。但我在这方面没有成功。此外,如果您愿意,联邦身份将允许您在以后添加其他授权人 您的身份池是否具有未经授权的访问权限?此外,您的API是否允许未经授权的访问?获取此代码的以下错误。Message=“用户:arn:aws:sts::XXXX85095:假定角色/XXXXXX(未经授权)移动hub(XXXX039892/CognitoIdentityCredentials未被授权执行:执行api:Invoke on resource:arn:aws:execute api:ap-souther-1:*************5095:xxxxxxu7mj/Dev/POST/XXXXX,并带有明确的拒绝”@你找到解决办法了吗?