在 AWS Gateway WebSocket API 中,我试图通过向某些用户(但不是全部)授予一些访问权限来控制对我的 WebSocket 端点的访问,特别是使用 IAM,如官方文档中所述:
作为测试,当我尝试使用特定策略(正是上面链接中显示的策略)连接到我的 AWS WebSocket 端点的具有特定身份的某些用户时,这可以正常工作(因此控制对工作的访问Allow
)。Deny
$connect
我的用例是允许这些用户连接(调用$connect
)但阻止他们调用其他一些自定义路由(因此他们将连接并接收一些消息但无法调用特定路由)。但是,当我尝试控制对任何其他路由(预定义的类似$default
路由或任何自定义路由)的访问时,连接的用户仍然能够调用自定义路由,即使它们Deny
在策略中被编辑。
文档可能缺少什么吗?为什么连接的用户仍然能够调用其他自定义秘密路由?使用的策略正是上面链接中官方文档提供的策略。
如前所述,我知道策略和身份正在起作用,因为我能够Deny
和路线Allow
,$connect
但没有其他路线。
因此,在用户连接到 WebSocket 之后(该用户具有Allow
s的身份$connect
),用户也能够发送以下消息(并且消息到达秘密路由的处理程序),即使秘密路由在政策。
注意,invokeCommand
是我的秘密路线。
{ "action": "invokeCommand", "command": "Secret route was invoked, but it actually should NOT!" }
我完全不明白为什么这条路线仍然可以调用。
这是Policy
我正在使用的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:277312736995:gvcpcdepy1/*/$connect"
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:277312736995:gvcpcdepy1/*/invokeCommand"
}
]
}
下面是访问 WebSocket API 的日志:
2021-05-14T09:41:44.226+02:00 (fVXSzFw4liAFdRA=) Extended Request Id: fVXSzFw4liAFdRA=
2021-05-14T09:41:44.226+02:00 (fVXSzFw4liAFdRA=) Verifying Usage Plan for request: fVXSzFw4liAFdRA=. API Key: API Stage: gvcpcdepy1/dev
2021-05-14T09:41:44.227+02:00 (fVXSzFw4liAFdRA=) API Key authorized because route 'invokeCommand' does not require API Key. Request will not contribute to throttle or quota limits
2021-05-14T09:41:44.227+02:00 (fVXSzFw4liAFdRA=) Usage Plan check succeeded for API Key and API Stage gvcpcdepy1/dev
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Starting execution for request: fVXSzFw4liAFdRA=
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) WebSocket Request Route: [invokeCommand]
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) WebSocket API [gvcpcdepy1] received message from client [Connection Id: fVXRcdAYliACE8A=].
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) WebSocket API [gvcpcdepy1] received message from client [fVXRcdAYliACE8A=]. Message: [{"requestContext":{"routeKey":"invokeCommand","messageId":"fVXSzdAuliACE8A=","eventType":"MESSAGE","extendedRequestId":"fVXSzFw4liAFdRA=","requestTime":"14/May/2021:19:41:44 +0000","messageDirection":"IN","stage":"dev","connectedAt":1621021295576,"requestTimeEpoch":1621021304225,"identity":{"sourceIp":"85.127.7.191"},"requestId":"fVXSzFw4liAFdRA=","domainName":"gvcpcdepy1.execute-api.eu-central-1.amazonaws.com","connectionId":"fVXRcdAYliACE8A=","apiId":"gvcpcdepy1"},"body":"{ \"action\": \"invokeCommand\", \"command\": \"DEVICE FIRMWARE VERSION\" }","isBase64Encoded":false}].
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Endpoint request URI: https://lambda.eu-central-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-central-1:277312736995:function:on-controller-dev-invokeCommandHandler/invocations
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Endpoint request headers: {x-amzn-lambda-integration-tag=fVXSzFw4liAFdRA=, Authorization=***************************************************************************************************************************************************************************************************************************************************************************************************************************0b7dbc, X-Amz-Date=20210514T194144Z, x-amzn-apigateway-api-id=gvcpcdepy1, X-Amz-Source-Arn=arn:aws:execute-api:eu-central-1:277312736995:gvcpcdepy1/dev/invokeCommand, Accept=application/json, User-Agent=AmazonAPIGateway_gvcpcdepy1, X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGoaDGV1LWNlbnRyYWwtMSJHMEUCIEKlbtIAmHhPU4NtfPnMaH1qTmd5aPQJWGzg52NzdWwFAiEA2bgH6hS8nxIvme60u7PxI4EL6b9+k0oLM2nbQJCrjGAqwwMI8///////////ARACGgw0NzQyNDAxNDY4MDIiDHgoKWJs1yfdnEKQMiqXA5Y2zOztnyyuj2yLzZlYWoAidplaB2/NSj8yFPNKJFo4yZOPc6sLY3MSwJTOhvh2fKtoJ38JUIHYC7hXLmy2ZXwAXD9VBcpadBtdoy8npQdkeS8HZOHYpx/7XmIi+Lkekmj4mkXA3qBLA4RW2vnZwxY0btpSjDGaGLI57sh+zV2 [TRUNCATED]
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Endpoint request body after transformations: {"requestContext":{"routeKey":"invokeCommand","messageId":"fVXSzdAuliACE8A=","eventType":"MESSAGE","extendedRequestId":"fVXSzFw4liAFdRA=","requestTime":"14/May/2021:19:41:44 +0000","messageDirection":"IN","stage":"dev","connectedAt":1621021295576,"requestTimeEpoch":1621021304225,"identity":{"sourceIp":"85.127.7.191"},"requestId":"fVXSzFw4liAFdRA=","domainName":"gvcpcdepy1.execute-api.eu-central-1.amazonaws.com","connectionId":"fVXRcdAYliACE8A=","apiId":"gvcpcdepy1"},"body":"{ \"action\": \"invokeCommand\", \"command\": \"DEVICE FIRMWARE VERSION\" }","isBase64Encoded":false}
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Sending request to https://lambda.eu-central-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-central-1:277312736995:function:on-controller-dev-invokeCommandHandler/invocations
2021-05-14T09:41:44.392+02:00 (fVXSzFw4liAFdRA=) Received response. Status: 200, Integration latency: 164 ms
2021-05-14T09:41:44.392+02:00 (fVXSzFw4liAFdRA=) Endpoint response headers: {Date=Fri, 14 May 2021 19:41:44 GMT, Content-Type=application/json, Content-Length=44, Connection=keep-alive, x-amzn-RequestId=9edb5ae5-c7e6-4a62-8d82-a91d7e094759, x-amzn-Remapped-Content-Length=0, X-Amz-Executed-Version=$LATEST, X-Amzn-Trace-Id=root=1-609ed278-d052a897768ba5f05cb18db1;sampled=0}
2021-05-14T09:41:44.392+02:00 (fVXSzFw4liAFdRA=) Endpoint response body before transformations: {"statusCode":200,"body":"Command invoked."}
2021-05-14T09:41:44.392+02:00 (fVXSzFw4liAFdRA=) AWS Integration Endpoint RequestId : 9edb5ae5-c7e6-4a62-8d82-a91d7e094759
2021-05-14T09:41:44.393+02:00 (fVXSzFw4liAFdRA=) Message from client [Connection Id: fVXRcdAYliACE8A=] sent to API [gvcpcdepy1] with response status code [200].
任何人都可以帮助我理解为什么这不起作用或我能做些什么来让它起作用吗?