Cognito / S3用户特定的策略策略、用户、Cognito
我使用的是AWS SDK为Android旁边Cognito(通过登录亚马逊)来验证用户身份,以我的AWS资源。我什么的尝试的做的是建立一个S3桶像这样:
I am using the AWS SDK for Android alongside Cognito to authenticate users (via Login With Amazon) to my AWS resources. What I am attempting to do is to setup an S3 bucket like so:
./my-bucket
├── first_user@email.com
└── second_user@email.com
因此,我斗斗将根据用户的电子邮件地址有文件夹。
So, the my-bucket bucket will have folders based on the user's e-mail address.
我的第一个尝试设置的政策是这样:
My first stab to setup the policy was as such:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-bucket"]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/${www.amazon.com:user_id}",
"arn:aws:s3:::my-bucket/${www.amazon.com:user_id}/*"
]
}
]
}
作为测试,我想下载一个文件夹,像这样一个用户:
As a test, I am trying to download a folder for a user like so:
final Map logins = new HashMap();
logins.put("www.amazon.com", token);
credentialsProvider.withLogins(logins);
final TransferManager transferManager = new TransferManager(credentialsProvider);
MultipleFileDownload download = transferManager.downloadDirectory("my-bucket", "first_user@email.com", new File("/sdcard/Download"));
然而,当我运行此我得到一个禁止例外。如果我修改了策略,明确引用 first_user@email.com ,而不是 $ {www.amazon.com:user_id}它工作正常。
However, when I run this I get a "Forbidden" exception. If I modify the policy to explicitly reference first_user@email.com rather than ${www.amazon.com:user_id} it works fine.
我见过参考这样但我不知道哪些实际应用。这将是美妙的,如果我是莫名其妙地能查看什么样的价值观来了,当我提出一个请求跨越。
I've seen references like this but I'm not sure which ones actually apply. It would be fantastic if I were somehow able to see what values are coming across when I make a request.
在此先感谢。
推荐答案
在回答你的问题:
不,这是不可能做到这一点与Cognito或网络身份联合,只需登录亚马逊。在该流返回的标识符伪匿名。 Cognito ID将是形式美国东1:ABCD-123456-XXXXX-XXXXX-XXXX 。如果你直接使用登录亚马逊,该标识将是形式 AMZN-1234567890 从Cognito贩卖的这些ID可在凭据提供通过简单地调用的 getIdentityId 的方法。如果您使用的是原始的网络身份联合流程中, AssumeRoleWithWebIdentityResult类包含了提供者,应用/观众和用户ID的值。 No it is not possible to do this with Cognito or web identity federation with just Login with Amazon. The identifiers returned in this flow are pseudo-anonymous. Cognito IDs will be of the form us-east-1:abcd-123456-xxxxx-xxxxx-xxxx. If you use Login with Amazon directly, the IDs would be of the form amzn-1234567890. The IDs vended from Cognito are available on the credentials provider by simply calling the getIdentityId method. If you are using the raw web identity federation flow, the AssumeRoleWithWebIdentityResult class contains the values for the provider, application/audience and user id.
