使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

I'm confused about Authenticated Roles in an Identity Pool when using Amplify for Auth.

0

I've built a simple React application that will make REST calls to an API Gateway which has a Resource Policy on it to control access. I've setup a User Pool, App Client and Identity Pool with Authenticated Roles that all match, but when running my application I'm confused about how and where I should be getting the roles from my Identity Pool and then how I should be passing them to the request to API Gateway.

I'm not sure exactly where to troubleshoot, but I do see that neither the idToken or accessToken in my signInUserSession contain any role information, so presumably the bearer token I'm sending in doesn't contain this information either.

Right now, all requests to API gateway result in 403 with the message 'User: anonymous is not authorized to perform: execute-api:Invoke on resource blabla'

My React App (simplified a bit):

import React, { useEffect } from 'react';
import { Amplify, Auth, API } from 'aws-amplify';
import { withAuthenticator } from '@aws-amplify/ui-react';
import '@aws-amplify/ui-react/styles.css';

const awsmobile = {
    "aws_project_region": "us-east-1",
    "aws_cognito_identity_pool_id": "us-east-1:bla-blabla-bla-blabla",
    "aws_cognito_region": "us-east-1",
    "aws_user_pools_id": "us-east-1_XXXXXXXXX",
    "aws_user_pools_web_client_id": "foostuffboostuff",
    "oauth": {
        "domain": "jefarr-test.auth.us-east-1.amazoncognito.com"
    },
    "aws_cloud_logic_custom": [
         {
             "name": "Cognito Test API",
             "endpoint": "https://foobar.execute-api.us-east-1.amazonaws.com/Test",
             "region": "us-east-1"
         }
     ]
 
};

Amplify.configure(awsmobile)

function App({ signOut, user }) {

    async function callApi() {
      const user = await Auth.currentAuthenticatedUser()
      const token = "Bearer: " + user.signInUserSession.idToken.jwtToken
      const apiName = 'Cognito Test API';
      const path = '/';
  
      const requestData = {
          headers: {
              Authorization: token
          }
      }
      const data = await API.get(apiName, path, requestData)
      console.log("data: ", data)
    }
        
    return (
    <>
      <h1>Hello {user.username}</h1>
      <button onClick={signOut}>Sign out</button>
      <button onClick={callApi}>Call Api</button>
    </>
  
  );
}
export default withAuthenticator(App);

How can I get these requests to API Gateway to work with the Resource Policy in place?

  • jefarr
    7 個月前

    Been working on this all day and made exactly zero progress. I've tried sending the idToken and accessToken in via the Authorization header, and I've tried removing the headers from requestData, neither worked but when removing the custom headers I see the AWS4 signed Authorization header in the request which makes me think this is supposed to just work

    Authorization:
AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXX/20231103/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=XXXXXXXXXXXXXXXXXXX
主題
無伺服器前端網頁與行動裝置網路與內容交付安全性、身分識別與合規
標籤
Amazon API GatewayAWS AmplifyAmazon Cognito
語言
English
jefarr
已提問 7 個月前檢視次數 360 次
2 個答案
1

Get the user's credentials from Auth.currentCredentials() instead of Auth.currentAuthenticatedUser(). This will give you access to the identityId and userRole values from the identity pool.

profile pictureAWS
Dave Connelly AWS
已回答 7 個月前
  • jefarr
    6 個月前

    Thank you, this is helpful in troubleshooting but not exactly what my problem was.

0
已接受的答案

After another day or two of digging I found the problem. Under the "Method Request Settings" in API Gateway I needed to set "Authoriztion" to "AWS_IAM".

here

jefarr
已回答 6 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容