情景： 我在亚马逊创建一个应用程序，并使用登录亚马逊，它返回一个access_token。然后我运行：

Scenario: I create an app on Amazon, and use Login with Amazon, which returns an "access_token". Then I run:

  AWS.config.credentials = new AWS.WebIdentityCredentials({

          RoleArn: 'arn:aws:iam::416942672???:role/???_amazon_role',
          ProviderId: 'www.amazon.com',
          WebIdentityToken:"?????????"
        });

  AWS.config.region = 'us-west-2';

  dynamodb =  new  AWS.DynamoDB()   dynamodb.listTables({}, function a(error,data){

    alert( "error: " +  JSON.stringify(error) );
    alert( JSON.stringify(data) );
    });

在我以后运行 ListTable 函数将返回：

When I later run the ListTable function it will return:

error: {"message":"Missing credentials in config","code":"SigningError","name":"SigningError","statusCode":403,"retryable":false}

我发现好像是我必须调用 AssumeRoleWithWebIdentity 。但是，我怎么能叫它 AWS SDK为JavaScript ？或者有没有其他的过程中，我错过了吗？

I found it seems that I have to call AssumeRoleWithWebIdentity. But how can I call it in AWS SDK for JavaScript? Or is there any other process I missed?

推荐答案

的获取临时凭据中确实需要调用的 AssumeRoleWithWebIdentity - 这种低级别的API调用是隐含在较高的水平 AWS SDK为JavaScript 凭据提供呼叫新AWS.WebIdentityCredentials（不过，如见） 类：AWS.WebIdentityCredentials 的：

The process of Getting Temporary Credentials indeed requires a call to AssumeRoleWithWebIdentity - this low level API call is implied in the higher level AWS SDK for JavaScript credentials provider call new AWS.WebIdentityCredentials() though, see e.g. Class: AWS.WebIdentityCredentials:

再presents从STS的Web身份联合检索凭据   支持。

Represents credentials retrieved from STS Web Identity Federation support.

在默认情况下使用此提供程序获得证书    AWS.STS.assumeRoleWithWebIdentity（）的服务操作。此操作   需要包含IAM信任策略的ARN为一个RoleArn   申请该证书将得到。此外，该   WebIdentityToken必须设置由身份提供的令牌   供应商。请参阅构造函数（）一个例子创建一个凭证   对象适当RoleArn和WebIdentityToken值。

By default this provider gets credentials using the AWS.STS.assumeRoleWithWebIdentity() service operation. This operation requires a RoleArn containing the ARN of the IAM trust policy for the application for which credentials will be given. In addition, the WebIdentityToken must be set to the token provided by the identity provider. See constructor() for an example on creating a credentials object with proper RoleArn and WebIdentityToken values.

由于错误信息的缺少配置凭据的，你显然传递了不正确的 WebIdentityToken ，这是不是一个惊喜给你只是规定了一些 ????????? 占位符;） - 因为你已经的使用登录亚马逊，它返回一个access_token 的，你会只需要传递ACCESS_TOKEN，而不是那些内容 ????????? 占位符值 WebIdentityToken 和应该准备就绪。

Given the error message "Missing credentials in config", you are obviously passing an incorrect WebIdentityToken, which isn't a surprise given you just specified some ????????? placeholders ;) - since you already use Login with Amazon, which returns an access_token, you'll just need to pass the content of that ACCESS_TOKEN instead of those ????????? placeholders as value for WebIdentityToken and should be all set.

对于其他读者：节的 6。把他们放在一起的在配置Web身份联合浏览器提供了一个范例检索访问令牌通过的Facebook登录的。如上所述那里，其他身份提供将具有涉及加载各自的SDK中，登录和接收接入令牌类似的设置步骤的 - 特别是，如何处理的登录亚马逊是详细记录在获得入门的Web 。 For other readers: Section 6. Putting it all together of Configuring Web Identity Federation in the Browser provides an example for retrieving the access token via Facebook Login. As noted there, Other identity providers will have a similar setup step that involves loading the respective SDK, logging in, and receiving an access token - in particular, how to handle Login with Amazon is documented in detail within Getting Started for Web.