认知 – 禁止访问身份

我试图了解亚马逊认知,并尝试通过Facebooklogin后S3文件夹的列表内容。 脸书login工作正常。 当我点击testingbutton(cmdTestS3Tapped)它会引发以下错误。

我将amazonClientManager.h,AmazonClientManager.m和Constants.h包含在amazon提供的例子中。 常数以belllow给出。 有谁能帮我解决这个问题吗? 

#define AWSAccountID @"MyAccountID" #define CognitoPoolID @"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" #define CognitoRoleAuth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole" #define CognitoRoleUnauth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole"

这是angular色 – Cognito_iOSTestPoolAuth_DefaultRole 

 { "Version": "2012-10-17", "Statement": [{ "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Effect": "Allow", "Resource": [ "*" ], "Effect": "Allow", "Action": "s3:*", "Resource": "*" }] }

这是信任关系 

 { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] }

这是我正在使用的代码 

 - (IBAction)cmdLoginWithFB:(id)sender { [[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:YES]; [self disableUI]; [[AmazonClientManager sharedInstance] loginFromView:self.view withCompletionHandler:^(NSError *error) { dispatch_async(dispatch_get_main_queue(), ^{ [self refreshUI]; }); }]; } -(void)refreshUI { [[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:NO]; //self.browseDataButton.enabled = YES; self.cmdLoginWithFB.enabled = YES; if ([[AmazonClientManager sharedInstance] isLoggedIn]) { self.cmdLoginWithFB.titleLabel.text = @"Link"; NSLog(@"-----------LOGED IN -------------->"); } else { self.cmdLoginWithFB.titleLabel.text = @"Login"; NSLog(@"-----------NOT LOGED IN -------------->"); } self.cmdLogoutWipe.enabled = [[AmazonClientManager sharedInstance] isLoggedIn]; } - (IBAction)cmdTestS3Tapped:(id)sender { if ([[AmazonClientManager sharedInstance] isLoggedIn]) { NSLog(@"-----------LOGED IN -------------->"); [self testListBucket]; } else { NSLog(@"-----------NOT LOGED IN -------------->"); } } - (void)testListBucket { AWSS3GetObjectRequest *getObjectRequest = [[AWSS3GetObjectRequest alloc] init]; getObjectRequest.key = @"image1.jpg"; getObjectRequest.bucket = @"multix-test"; NSLog(@"============================================>"); //default service has been configured previously //AWSS3 *s3 = [[AWSS3 new] initWithConfiguration:[AWSServiceManager defaultServiceManager].defaultServiceConfiguration]; AWSS3 *s3 = [AWSS3 defaultS3]; [[s3 getObject:getObjectRequest] continueWithBlock:^id(BFTask *task) { if(task.error) { NSLog(@"Error: %@",task.error); } else { NSLog(@"Got File"); NSData *data = [task.result body]; NSString *urlString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; NSURL *url = [[NSURL alloc] initWithString:urlString]; if ([[UIApplication sharedApplication] canOpenURL:url]) { [[UIApplication sharedApplication] openURL:url]; } } return nil; }]; NSLog(@"============================================>"); }

错误 

 2014-11-26 20:58:24.048 FBLoginTest[2647:83767] initializing clients... 2014-11-26 20:58:24.055 FBLoginTest[2647:83767] -----------LOGED IN --------------> 2014-11-26 20:58:33.542 FBLoginTest[2647:83767] -----------LOGED IN --------------> 2014-11-26 20:58:33.542 FBLoginTest[2647:83767] ============================================> 2014-11-26 20:58:33.551 FBLoginTest[2647:83767] ============================================> 2014-11-26 20:58:33.554 FBLoginTest[2647:88515] AWSiOSSDKv2 [Verbose] AWSURLRequestSerialization.m line:110 | -[AWSJSONRequestSerializer serializeRequest:headers:parameters:] | Request body: [{"IdentityId":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}] 2014-11-26 20:58:34.870 FBLoginTest[2647:88605] AWSiOSSDKv2 [Debug] AWSURLResponseSerialization.m line:85 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response header: [{ "Content-Length" = 129; "Content-Type" = "application/x-amz-json-1.1"; Date = "Wed, 26 Nov 2014 16:58:34 GMT"; nnCoection = close; "x-amzn-RequestId" = "7558584c-758d-11e4-a92d-11020f90ea0e"; }] 2014-11-26 20:58:34.871 FBLoginTest[2647:88605] AWSiOSSDKv2 [Verbose] AWSURLResponseSerialization.m line:90 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body: [{"__type":"NotAuthorizedException","message":"Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden."}] 2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSIdentityProvider.m line:212 | __42-[AWSBasicCognitoIdentityProvider refresh]_block_invoke_2 | GetOpenIdToken failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn't be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}] 2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSCredentialsProvider.m line:433 | __40-[AWSCognitoCredentialsProvider refresh]_block_invoke293 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn't be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}] 2014-11-26 20:58:34.873 FBLoginTest[2647:88605] Error: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn't be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}

我认为这种信任关系是不正确的。 它应该是 

  "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" }

因为您的用户使用Facebook进行身份validation。 您给予的信任关系是未经validation的用户。

有关Cognito,angular色和信任关系的更多详细信息,请参阅Bob的三部分博客

第1部分: http : //mobile.awsblog.com/post/Tx2UQN4KWI6GDJL/Understanding-Amazon-Cognito-Authentication

第2部分: http : //mobile.awsblog.com/post/Tx2FL1QAPDE0UAH/Understanding-Amazon-Cognito-Authentication-Part-2-Developer-Authenticated-Ident

第3部分: http : //mobile.awsblog.com/post/Tx1OSMBRHZVM9V0/Understanding-Amazon-Cognito-Authentication-Part-3-Roles-and-Policies

“访问身份被禁止”的错误通常是由于您的凭证提供程序未包含来自login提供程序(FB)的令牌导致的。

您没有包含代码处理FBlogin,但是我会确保您在AWSCognitoCredentials提供程序上正确设置了令牌,并将该提供程序设置为默认值。

塞巴斯蒂安的答案仍然是重要的注意,因为如果你使用不正确的angular色,你可能会遇到一个STS错误。

谢谢Bob&Sebastien,

问题是。 我忘记把下面的代码放在viewdidload中 

 [[AmazonClientManager sharedInstance] resumeSessionWithCompletionHandler:^(NSError *error) { dispatch_async(dispatch_get_main_queue(), ^{ [self refreshUI]; }); }];
    Interesting Posts

    在不configurationAmazon Cognito的情况下使用Amazon Mobile Analytics

    在我的iOS应用程序中configurationAmazon Mobile Analytics和AWS Cognito引发了一些与IAM链接的exception