4

我正在尝试了解 amazon cognito 并在通过 facebook 登录后尝试列出 S3 文件夹的内容。脸书登录工作正常。当我点击测试按钮(cmdTestS3Tapped)时,它会引发以下错误。

我从亚马逊提供的示例中将 AmazonClientManager.h、AmazonClientManager.m 和 Constants.h 包含在项目中。常数如下所示。任何人都可以帮我解决这个问题。

#define AWSAccountID @"MyAccountID"
#define CognitoPoolID @"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
#define CognitoRoleAuth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole"
#define CognitoRoleUnauth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole"

这是角色 - Cognito_iOSTestPoolAuth_DefaultRole

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "mobileanalytics:PutEvents",
            "cognito-sync:*"
        ],
        "Effect": "Allow",
        "Resource": [
            "*"
        ],
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    }]
}

这是信任关系

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "unauthenticated"
        }
      }
    }
  ]
}

这是我正在使用的代码

- (IBAction)cmdLoginWithFB:(id)sender {
    [[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:YES];
    [self disableUI];
    [[AmazonClientManager sharedInstance] loginFromView:self.view withCompletionHandler:^(NSError *error) {
        dispatch_async(dispatch_get_main_queue(), ^{
            [self refreshUI];
        });
    }];
}

-(void)refreshUI {
    [[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:NO];
    //self.browseDataButton.enabled = YES;
    self.cmdLoginWithFB.enabled = YES;
    if ([[AmazonClientManager sharedInstance] isLoggedIn]) {
        self.cmdLoginWithFB.titleLabel.text = @"Link";
        NSLog(@"-----------LOGED IN -------------->");
    }
    else {
        self.cmdLoginWithFB.titleLabel.text = @"Login";
        NSLog(@"-----------NOT LOGED IN -------------->");
    }
    self.cmdLogoutWipe.enabled = [[AmazonClientManager sharedInstance] isLoggedIn];
}


- (IBAction)cmdTestS3Tapped:(id)sender {
    if ([[AmazonClientManager sharedInstance] isLoggedIn]) {
        NSLog(@"-----------LOGED IN -------------->");
        [self testListBucket];
    }
    else {
        NSLog(@"-----------NOT LOGED IN -------------->");
    }
}


- (void)testListBucket {
    AWSS3GetObjectRequest *getObjectRequest = [[AWSS3GetObjectRequest alloc] init];
    getObjectRequest.key = @"image1.jpg";
    getObjectRequest.bucket = @"multix-test";

    NSLog(@"============================================>");

    //default service has been configured previously
    //AWSS3 *s3 = [[AWSS3 new] initWithConfiguration:[AWSServiceManager defaultServiceManager].defaultServiceConfiguration];

     AWSS3 *s3 = [AWSS3 defaultS3];


    [[s3 getObject:getObjectRequest] continueWithBlock:^id(BFTask *task) {
        if(task.error)
        {
            NSLog(@"Error: %@",task.error);
        }
        else
        {
            NSLog(@"Got File");
            NSData *data = [task.result body];
            NSString *urlString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
            NSURL *url = [[NSURL alloc] initWithString:urlString];
            if ([[UIApplication sharedApplication] canOpenURL:url]) {
                [[UIApplication sharedApplication] openURL:url];
            }
        }
        return nil;
    }];
    NSLog(@"============================================>");
}

错误

2014-11-26 20:58:24.048 FBLoginTest[2647:83767] initializing clients...
2014-11-26 20:58:24.055 FBLoginTest[2647:83767] -----------LOGED IN -------------->
2014-11-26 20:58:33.542 FBLoginTest[2647:83767] -----------LOGED IN -------------->
2014-11-26 20:58:33.542 FBLoginTest[2647:83767] ============================================>
2014-11-26 20:58:33.551 FBLoginTest[2647:83767] ============================================>
2014-11-26 20:58:33.554 FBLoginTest[2647:88515] AWSiOSSDKv2 [Verbose] AWSURLRequestSerialization.m line:110 | -[AWSJSONRequestSerializer serializeRequest:headers:parameters:] | Request body: [{"IdentityId":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}]
2014-11-26 20:58:34.870 FBLoginTest[2647:88605] AWSiOSSDKv2 [Debug] AWSURLResponseSerialization.m line:85 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response header: [{
    "Content-Length" = 129;
    "Content-Type" = "application/x-amz-json-1.1";
    Date = "Wed, 26 Nov 2014 16:58:34 GMT";
    nnCoection = close;
    "x-amzn-RequestId" = "7558584c-758d-11e4-a92d-11020f90ea0e";
}]
2014-11-26 20:58:34.871 FBLoginTest[2647:88605] AWSiOSSDKv2 [Verbose] AWSURLResponseSerialization.m line:90 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body: [{"__type":"NotAuthorizedException","message":"Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden."}]
2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSIdentityProvider.m line:212 | __42-[AWSBasicCognitoIdentityProvider refresh]_block_invoke_2 | GetOpenIdToken failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}]
2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSCredentialsProvider.m line:433 | __40-[AWSCognitoCredentialsProvider refresh]_block_invoke293 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}]
2014-11-26 20:58:34.873 FBLoginTest[2647:88605] Error: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}
4

3 回答 3

4

我认为信任关系不正确。它应该是

 "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }

因为您的用户通过 Facebook 进行了身份验证。您提供的信任关系适用于未经身份验证的用户。

有关 Cognito、角色和信任关系的更多详细信息,请参阅 Bob 的三部分博客

第 1 部分:http: //mobile.awsblog.com/post/Tx2UQN4KWI6GDJL/Understanding-Amazon-Cognito-Authentication

第 2 部分:http: //mobile.awsblog.com/post/Tx2FL1QAPDE0UAH/Understanding-Amazon-Cognito-Authentication-Part-2-Developer-Authenticated-Ident

第 3 部分:http: //mobile.awsblog.com/post/Tx1OSMBRHZVM9V0/Understanding-Amazon-Cognito-Authentication-Part-3-Roles-and-Policies

于 2014-11-27T08:35:41.990 回答
3

错误“访问身份被禁止”通常是由于未能在您的凭据提供程序中包含来自登录提供程序 (FB) 的令牌。

您没有包含处理 FB 登录的代码,但我会确保您在 AWSCognitoCredentials 提供程序上正确设置令牌并将该提供程序设置为默认值。

Sebastien 的回答仍然很重要,因为如果您使用不正确的角色,您以后可能会遇到 STS 错误。

于 2014-11-27T15:14:28.813 回答
1

谢谢鲍勃和塞巴斯蒂安,

问题是。我忘记将以下代码放入 viewdidload

[[AmazonClientManager sharedInstance] resumeSessionWithCompletionHandler:^(NSError *error) {
    dispatch_async(dispatch_get_main_queue(), ^{
        [self refreshUI];
    });
}];
于 2014-11-28T10:10:43.810 回答