我已经使用自定义开发人员提供程序名称“my.developer”设置了Cognito Identity Pool。从我的Node Lambda函数中,我调用以下代码:
AWS.config.region = 'ap-northeast-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'ap-northeast-1:*****' // I am using a valid UUID here
});
var cognitoidentity = new AWS.CognitoIdentity();
var params = {
IdentityPoolId: 'ap-northeast-1:*****',
Logins: { 'my.developer': 'test-user' }
};
cognitoidentity.getOpenIdTokenForDeveloperIdentity(params,
function(err, data) {
console.log('error:', err);
console.log('data:', data);
}
);
...当我测试函数时,我收到一个错误:
{
"errorMessage": "These credentials are not valid for accessing this resource",
"errorType": "AccessDeniedException",
"stackTrace": [
"Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:43:27)",
我有Cognito_Unauth_Role和Cognito_Auth_Role,它们都类似于:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
}
]
}
......我错过了什么?
确保Lambda函数的执行角色(这不是Cognito_Unauth_Role,也不是Cognito_Auth_Role,而是Lambda函数在执行时使用的角色)具有足够的Cognito服务权限。一个示例政策是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
}
]
}
奇怪的是,删除以下行修复了问题:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'ap-northeast-1:*****' // I am using a valid UUID here
});
...我想通过在lambda函数中创建CognitoIdentityCredentials对象,它已删除了在Web控制台中配置的角色。
错误消息:
“errorMessage”:“这些凭据对于访问此资源无效”
意味着这里的这些凭据应该是开发人员访问的凭据。因此它应该是access key
和secret key
的基本凭证。