【问题标题】:How to add access to s3 bucket for userpool如何为用户池添加对 s3 存储桶的访问权限
【发布时间】:2023-01-24 02:52:07
【问题描述】:

给定一个这样定义的桶

 const documentsBucket = new s3.Bucket(
            this,
            "documents-bucket",
            {
                bucketName: "documents-bucket",
            }
        );

和这样定义的用户池和客户端

const userPool = new cognito.UserPool(this, "domain-userpool", {
            mfa: cognito.Mfa.OFF,
            removalPolicy: cdk.RemovalPolicy.DESTROY,
            signInAliases: {
                email: true,
            },
            autoVerify: {
                email: true,
            },
            selfSignUpEnabled: true,
            accountRecovery: cognito.AccountRecovery.EMAIL_ONLY,
        });

const userPoolClient = userPool.addClient(
            "domain-userpool-client",
            {
                disableOAuth: true,
                authFlows: {
                    userPassword: true,
                },
                supportedIdentityProviders: [
                    cognito.UserPoolClientIdentityProvider.COGNITO,
                ],
                accessTokenValidity: cdk.Duration.days(1),
                idTokenValidity: cdk.Duration.days(1),
                refreshTokenValidity: cdk.Duration.days(30),
            }
        );

我如何允许该用户池中的用户在 cdk 中从该存储桶中读取?

我尝试定义一个 iam 策略声明,但我不知道如何将它附加到用户池:(

const readAccess = new iam.PolicyStatement({
            actions: ["s3:GetObject", "s3:ListBucket"],
            resources: [
                documentsBucket.bucketArn,
                `${documentsBucket.bucketArn}/*`,
            ],
        });

谢谢!

【问题讨论】:

    标签: typescript amazon-web-services aws-cdk


    【解决方案1】:

    您将需要使用 IdentityPool 添加角色,以便经过身份验证的用户能够访问 AWS 资源。下面的代码适用于 CDK V2,您需要使用 @aws-cdk/aws-cognito-identitypool-alpha 包。

        const identityPool = new IdentityPool(this, 'IdentityPoolDemo', {
          identityPoolName: 'IdentityPoolDemo',
          authenticationProviders: {
            userPools: [
              new UserPoolAuthenticationProvider({
                userPool,
                userPoolClient: userPoolClient
              })
            ]
          }
        })
    
        // this identity pool can access s3
        documentsBucket.grantReadWrite(identityPool.authenticatedRole)
        documentsBucket.grantRead(identityPool.authenticatedRole)
    

    【讨论】:

      猜你喜欢
      • 2023-01-12
      • 2020-01-18
      • 2018-01-07
      • 1970-01-01
      • 1970-01-01
      • 2013-10-31
      • 1970-01-01
      • 2022-12-09
      • 1970-01-01
      相关资源
      最近更新 更多