我正在开发一个Android应用程序,该应用程序使用firebase authentication登录并使用AWS S3和dynamodb来管理数据/图像。我正在尝试通过AWSAssumeRoleWebIdentity委派对 AWS 资源的访问权限。 我这样做的原因是AWS Sign-In UI不允许对 UI 和 UI 流进行足够的自定义。 我决定仅将firebase authentication用于登录和注册。
请找到源代码和OIDC Provider设置。 有了它们,错误日志是
No OpenIDConnect provider found in your account for https://securetoken.google.com/[project-name] (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: 37607060-9e1c-11e8-8ae0-636eae27c3bf)
AWS IAM的身份提供程序已使用"securetoken.google.com/[我的项目名称]/"的名称创建,我创建的指纹引用了 [1] 和 OAuth 2.0 客户端 IDCredentialsGoogle Cloud Service API & Services。
源代码如下所示。
public void uploadImageFile() {
CustomLog.logI("start of uploadImageFile");
setIDToken();
}
private void setIDToken() {
FirebaseUser mUser = FirebaseAuth.getInstance().getCurrentUser();
// To get ID Token of the user authenticated by google authentication
mUser.getIdToken(true)
.addOnCompleteListener(new OnCompleteListener<GetTokenResult>() {
public void onComplete (@NonNull Task< GetTokenResult > task) {
if (task.isSuccessful()) {
// Token information is set to mIDToken of the global variable
mIDToken = task.getResult().getToken();
AsyncTaskForAssumeRole asyncTaskForAssumeRole = new AsyncTaskForAssumeRole();
asyncTaskForAssumeRole.execute();
} else {
CustomLog.logE(task.getException().getMessage());
}
}
});
}
public class AsyncTaskForAssumeRole extends AsyncTask<Void, Void, BasicSessionCredentials> {
protected BasicSessionCredentials doInBackground(Void... params) {
try {
// set credentials from AssumeRoleWithWebIdentity
BasicSessionCredentials credentials = setAssumeRoleWithWebIdentity();
return credentials;
} catch (Exception e) {
CustomLog.logE(e.getMessage());
return null;
}
}
protected void onPostExecute(BasicSessionCredentials credentials) {
// upload file with S3 connection
connectToS3ForUpload(credentials);
}
}
private BasicSessionCredentials setAssumeRoleWithWebIdentity(){
CustomLog.logD("start of setAssumeRoleWithWebIdentity");
String ROLE_ARN = [my role arn];
// set AssumeRoleWithWebIdentity request with created policy and token information retrieved through Google Sign in information
AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest()
.withWebIdentityToken(mIDToken)
.withRoleArn(ROLE_ARN)
.withRoleSessionName("wifsession");
BasicAWSCredentials basicCreds = new BasicAWSCredentials("", "");
AWSSecurityTokenServiceClient sts = new AWSSecurityTokenServiceClient(basicCreds);
AssumeRoleWithWebIdentityResult result = sts.assumeRoleWithWebIdentity(request);
Credentials stsCredentials = result.getCredentials();
String subjectFromWIF = result.getSubjectFromWebIdentityToken();
BasicSessionCredentials credentials = new BasicSessionCredentials(stsCredentials.getAccessKeyId(),
stsCredentials.getSecretAccessKey(),
stsCredentials.getSessionToken());
return credentials;
}
提前非常感谢。
[1] http://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html
考虑使用 Amazon Cognito 联合身份(身份池(将用户从您的身份提供商联合(映射(到 Amazon Cognito 并获取 Cognito 身份 ID,该 ID 可用于授权访问 AWS 资源。有关更多详细信息,请参阅 https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html。
Map<String, String> logins = new HashMap<String, String>();
logins.put("login.provider.com", token);
credentialsProvider.setLogins(logins);
现在,您可以将credentialsProvider对象与 Amazon S3 客户端一起使用。
AmazonS3 s3Client = new AmazonS3Client(getApplicationContext(), credentialsProvider);