我在AWS API网关中有一个使用AWS- cognito保护的API。为了使用端点,用户必须被Cognito识别,Cognito将返回一个令牌。
这里的问题与CREATE USER进程有关。为了使用此端点,用户必须存在于Cognito中,然后接收令牌并使用它连接到CREATE user端点。但是在数据库(API -endpoint)中创建用户时,用户不是在Cognito中创建的,并且没有访问API的权限。
那么,这个过程的最佳方法应该是什么?
您不需要总是使用TOKEN授权器。API网关允许您配置另一种类型的授权器:REQUEST.
在这种情况下,完全取决于你如何判断某人是否被授权调用你的API端点。
event看起来像这样(取自AWS文档):
{
"type": "REQUEST",
"methodArn": "arn:aws:execute-api:us-east-1:123456789012:abcdef123/test/GET/request",
"resource": "/request",
"path": "/request",
"httpMethod": "GET",
"headers": {
"X-AMZ-Date": "20170718T062915Z",
"Accept": "*/*",
"HeaderAuth1": "headerValue1",
"CloudFront-Viewer-Country": "US",
"CloudFront-Forwarded-Proto": "https",
"CloudFront-Is-Tablet-Viewer": "false",
"CloudFront-Is-Mobile-Viewer": "false",
"User-Agent": "..."
},
"queryStringParameters": {
"QueryString1": "queryValue1"
},
"pathParameters": {},
"stageVariables": {
"StageVar1": "stageValue1"
},
"requestContext": {
"path": "/request",
"accountId": "123456789012",
"resourceId": "05c7jb",
"stage": "test",
"requestId": "...",
"identity": {
"apiKey": "...",
"sourceIp": "...",
"clientCert": {
"clientCertPem": "CERT_CONTENT",
"subjectDN": "www.example.com",
"issuerDN": "Example issuer",
"serialNumber": "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1",
"validity": {
"notBefore": "May 28 12:30:02 2019 GMT",
"notAfter": "Aug 5 09:36:04 2021 GMT"
}
}
},
"resourcePath": "/request",
"httpMethod": "GET",
"apiId": "abcdef123"
}
}
然后你需要告诉API Gateway它可以通过:
{
"principalId": "any-identifier-you-choose-like-uuid",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:eu-west-1:111111111111:abcdef/prod/GET/myresource"
]
}
}
还涉及到缓存策略,但这应该足以让您开始。