gpt4 book ai didi

amazon-web-services - DynamoDB 细粒度访问控制 : is it possible to use ${cognito-identity. amazonaws.com :email}?

转载 作者:行者123 更新时间:2023-12-03 01:02:45 24 4
gpt4 key购买 nike

我的用户拥有 Cognito 帐户。

根据 this article,我们可以使用如下策略限制对 DynamoDB API 的访问:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb: <REGION>:<AWS_ACCOUNT_ID>:table/<TABLE>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}

当索引键为email(并且主要排序键为utc)时,对于我的情况来说看起来非常简单,因此我将上面的示例调整为以下示例:

    {
"Effect": "Allow",
"Action": "dynamodb:UpdateItem",
"Resource": "arn:aws:dynamodb:us-east-1:123456789123:table/history",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:email}"
],
"dynamodb:Attributes": [
"email",
"utc",
"updated",
"isNew"
]
}
}

但我不断收到错误 AccessDeniedException: User: arn:aws:sts::9876543210:assumed-role/policyname/CognitoIdentityCredentials 无权执行: dynamodb:UpdateItem on resources: arn:aws:dynamodb: us-east-1:123456789123:表/历史

我尝试使用 * 权限进行 js http 调用,并且它有效,因此只有此策略才会出现陷阱。

最佳答案

this thread我发现我可以使用
${cognito-idp.us-east-1.amazonaws.com:sub}
这不是电子邮件,但将来我可以 list users有了这个

关于amazon-web-services - DynamoDB 细粒度访问控制 : is it possible to use ${cognito-identity. amazonaws.com :email}?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48261646/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com