amazon-web-services - CDK 有没有办法向通过 Cognito 身份验证的用户授予 S3 访问权限

Question

使用 CDK 我正在尝试创建:

使用 KMS 加密的私有(private) S3 存储桶

在 Amplify 上运行的 VueJS 前端中使用的 Cognito 用户池

我两者都有，但我找不到一种方法来授予经过身份验证的用户将文件上传到我的存储桶的权利。
我看过 Amplify doc声明我必须创建一个授权登录用户级别访问存储桶的 Auth_Role，我尝试使用 CfnIdentityPoolRoleAttachment但没有成功，我一直得到403。
这是我的 CDK:

    // KMS
    const ClientKmsKey = new kms.Key(this, 'ClientMasterKey', { trustAccountIdentities: true });


    // Encrypted Bucket
    const test_bucket = new s3.Bucket(this, 'bucket-name', {
      bucketName: 'bucket-name',
      encryption: s3.BucketEncryption.KMS,
      encryptionKey: ClientKmsKey,
      cors: [
        {
          allowedHeaders: [
            "*"
          ],
          allowedMethods: [
            s3.HttpMethods.POST,
            s3.HttpMethods.PUT,
            s3.HttpMethods.GET,
          ],
          allowedOrigins: [
            "*"
          ],
          exposedHeaders: [
            'x-amz-server-side-encryption',
            'x-amz-request-id',
            'x-amz-id-2',
            'ETag'
          ],
        }
      ],
    });

    // Identity Pool
    const userPool = new cognito.UserPool(this, 'AppFrontUserPool', {
      userPoolName: "AppFrontUserPool",
      selfSignUpEnabled: false,
      signInAliases: {
          email: true,
          phone: false,
          username: false
      }
    });

    const userPoolClient = userPool.addClient('app-client', 
    {
      oAuth: {
        flows : {
          implicitCodeGrant: true
        },
        scopes: [OAuthScope.OPENID, ],
        callbackUrls: ['...']
      }
    });

    const identityPool = new cognito.CfnIdentityPool(this, 'app-identity-pool', {
      allowUnauthenticatedIdentities: false,
      cognitoIdentityProviders: [{
          clientId: userPoolClient.userPoolClientId,
          providerName: userPool.userPoolProviderName,
      }]
    });


    // Role for authenticated Users
    const authenticatedRole = new iam.Role(this, 'CognitoDefaultAuthenticatedRole', {
      assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
          "StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
          "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" },
      }, "sts:AssumeRoleWithWebIdentity"),
    });
    authenticatedRole.addToPolicy(new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: [
          "s3:*",
          "mobileanalytics:PutEvents",
          "mobileanalytics:GetEvents",
          "cognito-sync:*"
        ],
        resources: [
          '*'
        ],
    }));

    // Role for UNauthenticated Users
    const unauthenticatedRole = new iam.Role(this, 'CognitoDefaultUnauthenticatedRole', {
      assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
          "StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
          "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" },
      }, "sts:AssumeRoleWithWebIdentity"),
    });
    unauthenticatedRole.addToPolicy(new iam.PolicyStatement({
      effect: iam.Effect.DENY,
      actions: [
        "s3:*",
        "mobileanalytics:PutEvents",
        "mobileanalytics:GetEvents",
        "cognito-sync:*",
        "cognito-identity:*"
      ],
      resources: [
        '*'
      ],
    }));

    const defaultPolicy = new cognito.CfnIdentityPoolRoleAttachment(this, 'DefaultValid', {
        identityPoolId: identityPool.ref,
        roles: {
            'unauthenticated': unauthenticatedRole.roleArn,
            'authenticated': authenticatedRole.roleArn
        }
    });

我使用这篇文章来创建 Cognito 策略:
How to create Cognito IdentityPool with Cognito UserPool as one of the Authentication provider using aws cdk?
我找不到检查我的自定义角色是否真的附加到控制台中经过身份验证的用户的方法。
还有什么我可以做的吗？我可以在控制台中检查我在 Cognito 中的用户池是否真的在使用我的策略？
编辑:
这就是我尝试使用 Amplify 调用 S3 存储桶的方式:
该配置仅指定存储桶和区域。

Storage.get('test_amplify.txt', { level: 'public',  ServerSideEncryption: 'aws:kms', SSEKMSKeyId: '...'})
        .then (result => console.log(result))
        .catch(err => console.log(err));
Storage.put('test_from_front.txt', 'HELLO !', { level: 'public',  ServerSideEncryption: 'aws:kms', SSEKMSKeyId: '...'})
        .then (result => console.log(result))
        .catch(err => console.log(err));
 

Storage.get('test_amplify.txt', { level: 'public' })
        .then (result => console.log(result))
        .catch(err => console.log(err));
Storage.put('test_from_front.txt', 'HELLO !')
        .then (result => console.log(result))
        .catch(err => console.log(err));

还是403

Answer 1

您必须向经过身份验证和未经身份验证的角色授予 kms key 的权限。
与此类似的东西:

    // Grant kms permissions
    authenticatedRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: [
          'kms:Decrypt',
          'kms:Encrypt',
          'kms:DescribeKey',
          'kms:ReEncrypt*',
          'kms:GenerateDataKey*',
        ],
        resources: ['*'],
      })
    )

    // Grant decrypt for authenticatedRole role
    ClientKmsKey.grantDecrypt(
      new iam.ArnPrincipal(authenticatedRole.roleArn)
    )

    // Grant kms permissions
    unAuthenticatedRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: [
          'kms:Decrypt',
          'kms:Encrypt',
          'kms:DescribeKey',
          'kms:ReEncrypt*',
          'kms:GenerateDataKey*',
        ],
        resources: ['*'],
      })
    )

    // Grant decrypt for unAuthenticatedRole role
    ClientKmsKey.grantDecrypt(
      new iam.ArnPrincipal(unAuthenticatedRole.roleArn)
    )

有用的链接:
https://aws.amazon.com/es/premiumsupport/knowledge-center/decrypt-kms-encrypted-objects-s3/
https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/
我希望它对你有用。
@fkone