我假设您收到一些错误,例如 AWSCognitoIdentityProviderErrorNotAuthorized。因为这是一个“管理员”API 调用,此处建议“需要开发人员凭据”[0]。
我建议您对您的凭据进行硬编码,以测试此 API 调用是否首先有效
AWSStaticCredentialsProvider *credentialsProvider = [AWSStaticCredentialsProvider credentialsWithAccessKey:"your-access-key" secretKey:"your-secret-key"];
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
请注意,不要在生产环境中对您的凭证进行硬编码。
21/07/2019 更新:
let staticCredentialProvider = AWSStaticCredentialsProvider.init(accessKey: "yourAccessKey", secretKey: "yourSecretKey")
let configuration = AWSServiceConfiguration.init(region: .APSoutheast2, credentialsProvider: staticCredentialProvider)
AWSServiceManager.default()?.defaultServiceConfiguration = configuration
let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
request?.groupName = "GroupA"
request?.userPoolId = "ap-southeast-2_xxxxxxxxx"
request?.username = "yourUserName"
AWSCognitoIdentityProvider.default().adminAddUser(toGroup: request!).continueWith { (task) -> Any? in
DispatchQueue.main.async(execute: {
if let error = task.error {
print("\(error.localizedDescription)")
}
})
}
我已经测试过了,上面的代码在我的测试环境中工作。我在这里列出以供您参考。下一步将尝试从代码库中删除硬编码凭证。可以使用 Cognito 身份池获取临时凭证,而不是使用 AWSStaticCredentialsProvider。我认为在获得足够许可的情况下,此流程无需开发人员凭据即可工作。
2019 年 7 月 26 日更新:
// using Cognito userpool with identity pool, to provider credential to AWSServiceManager
let serviceConfiguration = AWSServiceConfiguration(region: .APSoutheast2, credentialsProvider: nil)
let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: "YourUserPoolClientId", clientSecret: "YourUserPoolClientSecret", poolId: "YourUserPoolId")
AWSCognitoIdentityUserPool.register(with: serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: "RandomStringForIdentifyingYourPoolWithinThisApp")
let pool = AWSCognitoIdentityUserPool(forKey: "RandomStringForIdentifyingYourPoolWithinThisApp")
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .APSoutheast2, identityPoolId: "YourIdentityPoolId", identityProviderManager:pool)
let configuration = AWSServiceConfiguration.init(region: .APSoutheast2, credentialsProvider: credentialsProvider)
AWSServiceManager.default()?.defaultServiceConfiguration = configuration
// sign in a user
pool.getUser("UserNameOfAUserInYourPool").getSession("UserNameOfAUserInYourPool", password: "PasswordOfAUserInYourPool", validationData: nil).continueWith { (task) -> Any? in
if let error = task.error {
print("user sign in error: \(error.localizedDescription)")
} else {
print("user session is: \(String(describing: task.result))")
}
// add a user to GroupA
let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
request?.groupName = "GroupA"
request?.userPoolId = "YourUserPoolId"
request?.username = "UserNameOfAUserInYourPool"
return AWSCognitoIdentityProvider.default().adminAddUser(toGroup: request!)
}.continueWith { (task) -> Any? in
if let error = task.error {
print("cannot add user to group \(error.localizedDescription)")
}
}
就像我建议的那样,这是没有硬编码 AWS 凭证的解决方案。Cognito 身份池在用户登录到 Cognito 用户池 [3] 后提供温度 AWS 凭证,从而启用“adminAddToGroup”API 调用。
除了上面的代码,您还需要在 AWS 控制台上或使用 AWS CLI 设置您的 Cognito 身份池。您可以在屏幕截图中找到详细信息。
您还需要为经过身份验证的用户创建身份验证 IAM 角色以代入。这是策略示例。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:AdminAddUserToGroup"
],
"Resource": "Your_userpool_ARN"
}
]
}
参考:[0] https://aws-amplify.github.io/aws-sdk-ios/docs/reference/Classes/AWSCognitoIdentityProvider.html#//api/name/adminAddUserToGroup:[2 ] https://aws。 amazon.com/blogs/mobile/how-amazon-cognito-keeps-mobile-app-users-data-safe/
[3] https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito -integrating-user-pools-with-identity-pools.html