Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
930 views
in Technique[技术] by (71.8m points)

amazon-web-services - 是否可以向通过AWS Amplify预置的lambda PostAuthenticate函数赋予其他权限?(Can additional permissions be given to a lambda PostAuthenticate function provisioned with AWS Amplify?)

TL;DR: Can Amplify CloudFormation template for a Post Authentication function configuration been manually changed to give permissions to (for example) IoT attachPrincipalPolicy ?

(TL; DR:是否 可以手动更改用于Post Authentication功能配置的Amplify CloudFormation模板,以授予(例如) IoT AttachPrincipalPolicy权限)

I am using AWS Amplify and the amplify CLI to setup a new project.

(我使用AWS放大和的amplify CLI设置一个新的项目。)

Overall, Amplify has made things very easy however I am stuck with this feeling that you can only go "so far" with Amplify before things become difficult or impossible to do through an Amplify controlled project.

(总体而言,Amplify使事情变得非常容易,但是我一直坚信,只有在Amplify受控项目使事情变得困难或不可能完成之前,您才能对Amplify进行“深入了解”。)

The use case I am interested in has to do with setting up PubSub with IoT - the AWS instructions cover how to get this working but I would call this more "proof of concept" than "something that you should use in anything close to production" - it involves manually calling aws iot attach-principal-policy --policy-name 'myIoTPolicy' --principal '<YOUR_COGNITO_IDENTITY_ID>' on every single Cognito identity.

(我感兴趣的用例与使用IoT设置PubSub 指令介绍了如何使之工作,但我将其称为“概念证明”,而不是“在生产环境中应使用的东西” -它涉及在每个单个Cognito身份上手动调用aws iot attach-principal-policy --policy-name 'myIoTPolicy' --principal '<YOUR_COGNITO_IDENTITY_ID>' 。)

Instead what I would like to do is use a Post Authentication lambda function / event hook to call the attachPrincipalPolicy when a user logs into the website (potentially first checking to see if the policy is already attached!).

(相反,我想做的是当用户登录网站时使用Post Authentication lambda函数/事件挂钩来调用attachPrincipalPolicy (可能首先检查该策略是否已附加!)。)

Perhaps obviously this does not "just work", I tested

(我测试了一下,也许这显然行不通)

var iot = new AWS.Iot();

  var params = {
    policyName: 'myIoTPolicy', /* required */
    principal: 'XYZ123XYZ123' /* required */
  };

  try {
    iot.attachPrincipalPolicy(params, function (err, data) {
      if (err) console.log(err, err.stack); // an error occurred
      else console.log(data);           // successful response

      callback(null, event);
    });
  } catch (e) {
    console.log(e);           // successful response
  }

and ended up with an error like

(并最终出现类似的错误)

AccessDeniedException: User: arn:aws:sts::123123123123123:assumed-role/project82382PostAuthentication-master/project82382PostAuthentication-master is not authorized to perform: iot:AttachPrincipalPolicy on resource: XYZ123XYZ123

The heart of the question is, how do I give this lambda function permissions in a way that is going to not break when / if I modify the project using the Amplify CLI?

(问题的核心是,当/如果我使用Amplify CLI修改项目时,如何以不中断的方式授予此lambda函数权限?)

For example, I could in theory change project82382PostAuthentication-cloudformation-template.json and add some sort of configuration that would give permission to execute iot:AttachPrincipalPolicy , but this would then be removed I'd think if / when I change configuration of something causing Amplify CLI to regenerate the CloudFormation templates?

(例如,从理论上讲,我可以更改project82382PostAuthentication-cloudformation-template.json并添加某种配置,该配置将授予执行iot:AttachPrincipalPolicy权限,但是我想如果/当我更改引起某些问题的配置时,将其删除放大CLI以重新生成CloudFormation模板吗?)

  ask by shoelessone translate from so

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...