1

是否可以创建一个信任,允许来自 cognito 的联合用户根据自定义属性担任角色?

例如带有一个tenant属性:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-corner-cafe-123456790ab"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "unauthenticated"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:custom:tenant": "tenant-name"
        }
      }
    }
  ]
}

我正在使用带有 cognito 令牌的get_credentials_for_identity api 来承担这个角色。

4

1 回答 1

2

是的,这绝对可以通过访问控制的属性来实现。这仅适用于经过身份验证的用户(您需要一个 ID 令牌来将声明映射到主体标签)。

  1. 您的信任策略需要如下所示:
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-corner-cafe-123456790ab"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            },
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            }
        }
    ]
}

区别在于行动和必须sts:TagSession的事实。amrauthenticated

  1. 假定角色的策略将如下所示:
{
    "PolicyDocument": {
        "Statement": [
            {
                "Action": "s3:GetObject",
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::your-bucket-name/cognito/attributes/by_family_name/${aws:PrincipalTag/family_name}/*"
            },
            {
                "Action": "s3:GetObject",
                "Condition": {
                    "StringEquals": {
                        "s3:ExistingObjectTag/given_name": "${aws:PrincipalTag/given_name}"
                    }
                },
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::your-bucket-name/cognito/attributes/by_tag/*"
            }
        ],
        "Version": "2012-10-17"
    },
    "PolicyName": "attributes-policy"
}
  1. 您需要在身份池中配置您的 Cognito(或任何其他)提供程序,以执行从令牌到标签的声明之间的映射。您可以在控制台下的Attributes for access control. 或者像这样使用 CLI:
aws cognito-identity set-principal-tag-attribute-map --cli-input-json file://set-principal-tag-attribute-map.json

哪里set-principal-tag-attribute-map.json看起来像这样(对于作为 IDP 的 Cognito):

{
    "IdentityPoolId": "here-is-your-identity-pool-id",
    "IdentityProviderName": "cognito-idp.<region>.amazonaws.com/<user_pool_id>",
    "UseDefaults": false,
    "PrincipalTags": {
        "given_name": "given_name",
        "family_name": "family_name"
    }
}

您可以在此处的文档中找到更多详细信息:https ://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html

于 2021-04-08T13:26:18.390 回答