Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/amazon-web-services/12.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java:未被授权执行sts:AssumeRoleWithWebIdentity cognito用户池_Java_Amazon Web Services_Amazon Iam_Amazon Cognito - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java:未被授权执行sts:AssumeRoleWithWebIdentity cognito用户池

Java:未被授权执行sts:AssumeRoleWithWebIdentity cognito用户池

java amazon-web-services

Java:未被授权执行sts:AssumeRoleWithWebIdentity cognito用户池,java,amazon-web-services,amazon-iam,amazon-cognito,Java,Amazon Web Services,Amazon Iam,Amazon Cognito,我正在使用AWS Cogito服务使用AWS Java SDK从Cognoto获取用户凭据 我跟着 https://mobile.awsblog.com/post/TxBVEDL5Z8JKAC/Use-Amazon-Cognito-in-your-website-for-simple-AWS-authentication编写使用cognito用户池对用户进行身份验证的代码 在编写代码之前,我配置了cognito用户池,并使用以下池配置字段将其命名为demo Pool Id us-east-1_G

我正在使用AWS Cogito服务使用AWS Java SDK从Cognoto获取用户凭据

我跟着 
https://mobile.awsblog.com/post/TxBVEDL5Z8JKAC/Use-Amazon-Cognito-in-your-website-for-simple-AWS-authentication
编写使用cognito用户池对用户进行身份验证的代码

在编写代码之前,我配置了cognito用户池,并使用以下池配置字段将其命名为demo

Pool Id us-east-1_GUbY6qQ1v
Pool ARN arn:aws:cognito-idp:us-east-1:049428796662:userpool/us-east-1_GUbY6qQ1v
我在上面使用了创建的标识池,以满足联邦标识池的需要,如所附图片所示

现在回到代码,我编写了以下函数来检索用户标识并将其缓存,以便在相同标识登录时,不会重复对GetID()函数的调用

public UserIdentity getUserIdentity(User user) throws AuthorizationException {
if (user == null || user.getUsername() == null || user.getUsername().trim().equals("")) {
  throw new AuthorizationException("Invalid user");
}
AmazonCognitoIdentity identityClient = new AmazonCognitoIdentityClient(new AnonymousAWSCredentials());

GetIdRequest idRequest = new GetIdRequest();
idRequest.setAccountId(CognitoConfiguration.AWS_ACCOUNT_ID);
idRequest.setIdentityPoolId(CognitoConfiguration.IDENTITY_POOL_ID);

GetIdResult idResp = identityClient.getId(idRequest);

if (idResp == null) {
  throw new AuthorizationException("Empty GetOpenIdToken response");
}

GetOpenIdTokenRequest tokenRequest = new GetOpenIdTokenRequest();
tokenRequest.setIdentityId(idResp.getIdentityId());

GetOpenIdTokenResult tokenResp = identityClient.getOpenIdToken(tokenRequest);
UserIdentity identity = new UserIdentity();
identity.setIdentityId(idResp.getIdentityId());
identity.setOpenIdToken(tokenResp.getToken());
return identity;
}

用户类包含带有getOpenIdToken的字段标识,当从cognito请求凭据时,将检索该令牌

public AWSSessionCredentials getUserCredentials(User user) throws AuthorizationException {
if (user == null || user.getCognitoIdentityId() == null || user.getCognitoIdentityId().trim().equals("")) {
  throw new AuthorizationException("Invalid user");
}

AWSSecurityTokenService stsClient = new AWSSecurityTokenServiceClient(new AnonymousAWSCredentials());
AssumeRoleWithWebIdentityRequest stsReq = new AssumeRoleWithWebIdentityRequest();
stsReq.setRoleArn(user.getUserRole());
System.out.println("The received get open id token is: " + user.getIdentity().getOpenIdToken());
stsReq.setWebIdentityToken(user.getIdentity().getOpenIdToken());
stsReq.setRoleSessionName("FassetTestSession");

AssumeRoleWithWebIdentityResult stsResp = stsClient.assumeRoleWithWebIdentity(stsReq);
Credentials stsCredentials = stsResp.getCredentials();

// Create the session credentials object
AWSSessionCredentials sessionCredentials = new BasicSessionCredentials(
    stsCredentials.getAccessKeyId(),
    stsCredentials.getSecretAccessKey(),
    stsCredentials.getSessionToken()
);
// save the timeout for these credentials 
Date sessionCredentialsExpiration = stsCredentials.getExpiration();
return sessionCredentials;
}

用户类的相关部分如下所示

public class User {
  private UserIdentity identity;
  public String getCognitoIdentityId() {
    if (this.identity == null) {
      return null;
    }
    return this.identity.getIdentityId();
  }

  public void setCognitoIdentityId(String cognitoIdentityId) {
    if (this.identity == null) {
      this.identity = new UserIdentity();
    }
    this.identity.setIdentityId(cognitoIdentityId);
  }
}

行ASSUMEROLEWITHEBIDENTYRESULT stsResp=stsClient.ASSUMEROLEWITHEBIDENTY(stsReq)返回一个403禁止的错误,下面是一行

    2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "  <Error>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "    <Type>Sender</Type>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "    <Code>AccessDenied</Code>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "    <Message>Not authorized to perform sts:AssumeRoleWithWebIdentity</Message>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "  </Error>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "  <RequestId>fe4edd9f-913e-11e6-85cd-45155b40299e</RequestId>[\n]"
用户角色的信任权限为:

   {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxxxxxxxxxx"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": [
            "accounts.google.com",
            "graph.facebook.com",
            "authenticated"
          ]
        }
      }
    }
  ]
}
其中us-east-1:xxxxxxxxxxxxxx是管理社交和cognito用户池的用户身份池id

我已经浏览了很多这样的博客,其中列出了信任权限和cognito用户池,以了解上述问题,但徒劳无功,如果有人能在上述问题上帮助我,我将不胜感激。

在调用GetId时,您没有在登录映射中传递用户池用户的id令牌。您需要在GetIdRequest上调用setLogins,其中包含cognito idp.us-east-1.amazonaws.com/us-east-1\u您的用户\u pool\u id作为键,用户池用户的id令牌作为值

由于您尚未通过此登录映射,因此您获得的身份是未经身份验证的身份,并且您的角色策略中只允许经过身份验证的用户

另见: