我正在研究一种情况,我想根据 cognito 用户池的组角色授权 lambda 函数。
我为用户组创建了一个角色:
角色名称:AppAdmin
AWS 托管权限策略:
- IAM完全访问
- AmazonS3FullAccess
- AmazonCognitoPowerUser
信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::ACCOUNT_NUMBER:assumed-role/lambdaRole/LAMBDA_FUNCTION_NAME",
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
而且,我为 lambda 函数创建了另一个角色:
角色名称:lambdaRole
政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionToAssumeAppAdmin",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_NUMBER:role/AppAdmin"
}
]
}
请注意,所有这些都在同一个 AWS 账户中。
现在,如果我尝试从 lambda 承担 AppAdmin 角色:
const AWS= require('aws-sdk');
let sts = new AWS.STS();
exports.main = async function(event) {
console.log('event: '+ JSON.stringify(event));
const msg= event.requestContext.authorizer.claims['cognito:roles'];
let response= {
statusCode: 500,
body: JSON.stringify({
message: 'Some error occurred on the server.',
}),
}
await sts.assumeRole({
RoleArn: JSON.stringify(msg),
RoleSessionName: 'Cognito_Cognito_DefaultRole',
}).promise().then(data => {
console.log('Assumed role success :)');
console.log('Data is: '+data);
let creds = new AWS.Credentials({
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken
});
}).catch(err => {
console.log('Cannot assume role :(');
console.log(err, err.stack);
})
};
我收到以下错误:
2022-02-18T13:46:45.204Z fdd8c0d2-442d-4324-ba93-673cb4e5f327 INFO AccessDenied: User: arn:aws:sts::ACCOUNT_NUMBER:assumed-role/lambdaRole/LAMBDA_FUNCTION_NAME is not authorized to perform: sts:AssumeRole on resource: "arn:aws:iam::ACCOUNT_NUMBER:role/AppAdmin"
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'AccessDenied',
time: 2022-02-18T13:46:45.162Z,
requestId: 'feabf3ff-c4b6-45c5-8606-4c1c59b9af10',
statusCode: 403,
retryable: false,
retryDelay: 59.233565937215026
} AccessDenied: User: arn:aws:sts::ACCOUNT_NUMBER:assumed-role/lambdaRole/LAMBDA_FUNCTION_NAME is not authorized to perform: sts:AssumeRole on resource: "arn:aws:iam::ACCOUNT_NUMBER:role/AppAdmin"
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
非常感谢任何帮助!
谢谢!!!