1

我有一个 AWS Lambda,它在 CloudFront 实例上作为查看器请求运行,该实例限制对 S3 存储桶设置的访问,以用于网站的静态托管。它使用 Cognito 用户池来限制访问并通过AdminInitiateAuth.

使用从记录 CloudFront 事件直接获得的测试数据,lambda 运行良好,但是当通过 CloudFront 的触发器实际调用时,我收到错误:

An error occurred (AccessDeniedException) when calling the AdminInitiateAuth operation:
User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/cloudfront_trigger_s3_auth_http_service/us-east-1.s3_service_resources_auth
is not authorized to perform: cognito-idp:AdminInitiateAuth on resource:
arn:aws:cognito-idp:us-west-2:<AWS_ACCOUNT_ID>:userpool/<USER_POOL_ID>

我已经尝试扩大我的信任关系,并确保 AWS STS 可以在需要时担任该角色。

cloudfront_trigger_s3_auth_http_service角色信任关系:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "cognito-idp.amazonaws.com",
          "edgelambda.amazonaws.com",
          "sts.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

arcimoto-service-resources-user-pool-auth附加到cloudfront_trigger_s3_auth_http_service允许认知访问的角色的策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cognito-idp:AdminInitiateAuth",
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::511596272857:role/cloudfront_trigger_s3_auth_http_service/us-east-1.s3_service_resources_auth",
                "arn:aws:cognito-idp:us-east-1:511596272857:userpool/us-east-1_sES7sBpcg"
            ]
        }
    ]
}
4

0 回答 0