【发布时间】:2023-01-24 02:52:07
【问题描述】:
给定一个这样定义的桶
const documentsBucket = new s3.Bucket(
this,
"documents-bucket",
{
bucketName: "documents-bucket",
}
);
和这样定义的用户池和客户端
const userPool = new cognito.UserPool(this, "domain-userpool", {
mfa: cognito.Mfa.OFF,
removalPolicy: cdk.RemovalPolicy.DESTROY,
signInAliases: {
email: true,
},
autoVerify: {
email: true,
},
selfSignUpEnabled: true,
accountRecovery: cognito.AccountRecovery.EMAIL_ONLY,
});
const userPoolClient = userPool.addClient(
"domain-userpool-client",
{
disableOAuth: true,
authFlows: {
userPassword: true,
},
supportedIdentityProviders: [
cognito.UserPoolClientIdentityProvider.COGNITO,
],
accessTokenValidity: cdk.Duration.days(1),
idTokenValidity: cdk.Duration.days(1),
refreshTokenValidity: cdk.Duration.days(30),
}
);
我如何允许该用户池中的用户在 cdk 中从该存储桶中读取?
我尝试定义一个 iam 策略声明,但我不知道如何将它附加到用户池:(
const readAccess = new iam.PolicyStatement({
actions: ["s3:GetObject", "s3:ListBucket"],
resources: [
documentsBucket.bucketArn,
`${documentsBucket.bucketArn}/*`,
],
});
谢谢!
【问题讨论】:
标签: typescript amazon-web-services aws-cdk