1

我正在尝试使用 AWS IAM 为移动应用程序生成临时令牌。我正在使用 AWS C# 开发工具包。

这是我的代码...

令牌生成服务

public string GetIAMKey(string deviceId)
    {
        //fetch IAM key...

        var credentials = new BasicAWSCredentials("MyKey", "MyAccessId");

        var sts = new AmazonSecurityTokenServiceClient(credentials);

        var tokenRequest = new GetFederationTokenRequest();
        tokenRequest.Name = deviceId;
        tokenRequest.Policy = File.ReadAllText(HostingEnvironment.MapPath("~/policy.txt"));
        tokenRequest.DurationSeconds = 129600;

        var tokenResult = sts.GetFederationToken(tokenRequest);

        var details = new IAMDetails { SessionToken = tokenResult.GetFederationTokenResult.Credentials.SessionToken, AccessKeyId = tokenResult.GetFederationTokenResult.Credentials.AccessKeyId, SecretAccessKey = tokenResult.GetFederationTokenResult.Credentials.SecretAccessKey, };

        return JsonConvert.SerializeObject(details);
    }

客户端

var iamkey = Storage.LoadPersistent<IAMDetails>("iamkey");

        var simpleDBClient = new AmazonSimpleDBClient(iamkey.AccessKeyId, iamkey.SecretAccessKey, iamkey.SessionToken);

        try
        {
            var details = await simpleDBClient.SelectAsync(new SelectRequest { SelectExpression = "select * from mydomain" });

            return null;
        }
        catch (Exception ex)
        {
            Storage.ClearPersistent("iamkey");
        }

策略文件内容

{ “声明”:[{ “效果”:“允许”、“操作”:“sdb:*”、“资源”:“arn:aws:sdb:eu-west-1:* :domain/mydomain*”} ]}

我不断收到以下错误...

用户 (arn:aws:sts::myaccountid:federated-user/654321) 无权对资源 (arn:aws:sdb:us-east-1:myaccountid:domain/mydomain) 执行 (sdb:Select)

请注意,我的策略文件明确指定了两件事

  1. 区域应该是eu-west-1
  2. allowed action 是通配符,即允许一切

但是抛出的异常声称我的用户没有权限us-east-1

关于我为什么会收到此错误的任何想法?

4

1 回答 1

1

好的,想通了。

您必须在从客户端调用服务时设置区域端点。

所以

var simpleDBClient = new AmazonSimpleDBClient(iamkey.AccessKeyId, iamkey.SecretAccessKey, iamkey.SessionToken, Amazon.RegionEndpoint.EUWest1);
于 2013-09-07T19:23:34.237 回答