我正在尝试使用AWS Cognito组创建基于角色的访问控制。我定义了以下角色和策略来拒绝访问资源
CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: "CognitoAuthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Deny"
Action: "*"
Resource: "*"
然后我创建了一个名为admin隐名用户池的组,并分配了一个带有策略的角色,让用户调用API,如下所示
CognitoUserPoolGroupAdmin:
Type: AWS::Cognito::UserPoolGroup
Properties:
UserPoolId:
Ref: CognitoUserPool
GroupName: Admin
Precedence: 0
RoleArn:
Fn::GetAtt:
- AdminRole
- Arn
AdminRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: AdminRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: CognitoAdminPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "execute-api:Invoke"
Resource:
- arn:aws:execute-api:ap-south-1:****:***/*/GET/user
然后我创建了一个用户,并添加到组管理员中,获得了临时证书,然后尝试调用API,在邮递员中得到了以下403错误
"用户:arn:aws:sts::******:假定角色/auth-service-dev-CognitoAuthRole-1JO2U7LKRJRBB/CognitoIdentityCredentials未被授权对资源执行:execute api:Invokearn:aws:execute api:ap-south-1:********2015:***/dev/GET/user明确拒绝">
这运行得很好,并在删除和重新部署云形成堆栈后开始导致此错误。
根据评论,问题是explicit deny。来自文档:
如果代码找到哪怕一个应用的显式拒绝返回拒绝的最终决定。
基本上,explicit deny总是战胜任何allow。