【发布时间】:2017-06-14 00:46:35
【问题描述】:
这可能是一个人为的例子,但我试图理解为什么通过 Cognito 识别检索的临时 AccessKeyId / SecretAccessKey 不允许我访问像 S3 这样的 AWS 服务。
从节点应用程序中,我正在像这样对用户进行身份验证(如 https://github.com/aws/amazon-cognito-identity-js 中所述):
var authenticationData = {
Username : params.Username,
Password : params.Password,
};
var authenticationDetails = new AWSCognito.AuthenticationDetails(authenticationData);
var poolData = {
UserPoolId : params.UserPoolId,
ClientId : params.ClientId
};
var userPool = new AWSCognito.CognitoUserPool(poolData);
var userData = {
Username : params.Username,
Pool : userPool
};
var cognitoUser = new AWSCognito.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function (result) {
cognitoUserPoolLoginProvider = 'cognito-idp.' + params.AWSRegion + '.amazonaws.com/' + params.UserPoolId;
var logins = {};
logins[cognitoUserPoolLoginProvider] = result.getIdToken().getJwtToken();
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId : params.IdentityPoolId,
Logins : logins
});
AWS.config.update({region: params.AWSRegion});
AWS.config.credentials.get(function(err) {
if (err) {
callback(err, null);
console.log(AWS.config.credentials);
} else {
var creds = {
AccessKeyId: AWS.config.credentials.accessKeyId,
SecretAccessKey: AWS.config.credentials.secretAccessKey,
SessionToken: AWS.config.credentials.sessionToken,
}
callback(null, creds);
}
});
},
onFailure: function(err) {
callback(err, null);
},
});
在我的身份池中提供用户的有效用户名/密码时,我会得到:
- accessKeyId
- 秘密访问密钥
- 会话令牌
到目前为止一切顺利。
我假设accessKeyId 和secretAccessKey 将是可用于代表该用户访问服务的临时(有时间限制的)AWS 凭证。
但是,当我将 AWS CLI (aws configure) 配置为访问 AWS 服务时,出现以下错误:
{ [InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.]
message: 'The AWS Access Key Id you provided does not exist in our records.',
code: 'InvalidAccessKeyId',
region: null,
time: Sat Jan 28 2017 11:52:10 GMT+0100 (CET),
requestId: '68BB8C46F7BC195D',
extendedRequestId: '4Z6d+MCRIiZ1CtApQfphbkWPBCO/jpI0DXqyfK5/5yKaYqwDj/OAhCgy6UJdACyuIs5UxqLPfZk=',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 90.96230010036379 }
为什么这个 AWS 访问密钥不被视为有效密钥?
【问题讨论】:
标签: security amazon-web-services amazon-cognito