未授权执行sts:AssumeRoleWithWebIdentity AWS s3 Cognitoauthentication失败
我有一个简单的iOS应用程序上传到S3。 我试图在所有的周围,尽pipe理想情况下,我想做Facebook。
2个IAMangular色(使用向导创build)。 IAMauthentication策略(for unauthangular色):
{ "Version": "2012-10-17", "Statement": [{ "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::[mybucketname]/*" } ] }
我的constants.h文件(scrubbed):
#define AWSID @"[12 digit num]" #define PoolID @"us-east-1:[long id number]" #define CRUnauth @"arn:aws:iam::[id num]:role/Cognito_Auth_DefaultRole" #define CRAuth @"arn:aws:iam::[id num]:role/Cognito_auth_DefaultRole"
我的appDelegate.m文件有这样的:
credentialsProvider = [AWSCognitoCredentialsProvider credentialsWithRegionType:AWSRegionUSEast1 accountId:AWSID identityPoolId:PoolID unauthRoleArn:CRUnauth authRoleArn:nil]; AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionSAEast1 credentialsProvider:credentialsProvider]; [AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
我做了credentialsProvider属性,因为我需要在某个时候添加Facebooklogin。
我只是上传一个包图像来testing这个。 在我的viewController:
if([app.fb_token length] > 0){ app.credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyFacebook): app.fb_token }; } AWSS3TransferManager *transferManager = [AWSS3TransferManager defaultS3TransferManager]; UIImage *image = [UIImage imageNamed:@"yayDot"]; NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES); NSString *documentsDirectory = [paths objectAtIndex:0]; NSString* path = [documentsDirectory stringByAppendingPathComponent: @"yayDot.png" ]; NSData* data = UIImagePNGRepresentation(image); [data writeToFile:path atomically:YES]; AWSS3TransferManagerUploadRequest *uploadRequest = [AWSS3TransferManagerUploadRequest new]; uploadRequest.body = [NSURL URLWithString:path]; uploadRequest.key = @"yayDot.png"; uploadRequest.bucket = thebucket; [AWSLogger defaultLogger].logLevel = AWSLogLevelVerbose; [[transferManager upload:uploadRequest] continueWithBlock:^id(BFTask *task) { // Do something with the response NSLog(@"result: %@", task.result); return nil; }];
完整的错误:
AWSURLResponseSerialization.m line:258 | -[AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response header: [{ "Content-Length" = 299; "Content-Type" = "text/xml"; Date = "Tue, 27 Jan 2015 18:54:17 GMT"; "x-amzn-RequestId" = "xxxxx"; }] 2015-01-27 10:54:18.052 AWSiOSSDKv2 [Verbose] AWSURLResponseSerialization.m line:263 | -[AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body: [<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <Error> <Type>Sender</Type> <Code>AccessDenied</Code> <Message>Not authorized to perform sts:AssumeRoleWithWebIdentity</Message> </Error> <RequestId>xxxxx</RequestId> </ErrorResponse> ] 2015-01-27 10:54:18.059 lookyloo[20024:332664] AWSiOSSDKv2 [Error] AWSCredentialsProvider.m line:587 | __40-[AWSCognitoCredentialsProvider refresh]_block_invoke356 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSSTSErrorDomain Code=0 "The operation couldn't be completed. (com.amazonaws.AWSSTSErrorDomain error 0.)" UserInfo=0x7d936310 {Type=Sender, Message=Not authorized to perform sts:AssumeRoleWithWebIdentity, __text=( "\n ", "\n ", "\n ", "\n " ), Code=AccessDenied}]
看看你的代码,它看起来像你使用“authentication”angular色arn:aws:iam::[id num]:role/Cognito_Auth_DefaultRole
作为你的意见。 默认情况下,Amazon Cognito创build的angular色只信任特定types的访问(未经身份validation和已validation),因此在尝试使用未经身份validation的访问时会出现sts错误。 这篇博客文章将介绍信任政策并了解Cognito如何使用它们。
切换到简化的构造函数应该已经为您解决了这个问题,除非您在AWS控制台内也进行了相同的关联。 在控制台中关联你的angular色可以让你不把你的angular色embedded你的应用程序中。
另外,如果您想使用“美国标准”区域以外的存储桶,则需要更改以下行:
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionSAEast1 credentialsProvider:credentialsProvider];
反映存储区所在的区域。