首页 文章

无法使用Facebook AssumeRoleWithWebIdentity凭据访问AWS

提问于
浏览
1

Short version

以Facebook用户身份登录,我使用我的oAuth令牌来假设IAM role on AWS . 它返回看起来有效凭证的内容,例如有一个与我们的主密钥长度相似的AccessKeyId,SecretAccessKey .

当我尝试使用这些凭据访问DynamoDB表时,我得到两个例外之一:

  • "The remote server returned an error: (400) Bad Request." ;要么

  • "The security token included in the request is invalid." .

我正在使用AWS C#SDK版本1.5.25.0

Long version

如上所述,我正在尝试使用由Facebook身份授权的 AmazonSecurityTokenServiceClient 提供的凭据访问AWS上的DynamoDB表,如this AWS guide中所述 .

我创建的IAM角色的策略是:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "dynamodb:BatchGetItem",
        "dynamodb:PutItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:UpdateItem"
      ],
      "Sid": "Stmt1372350145000",
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}

How I get the credentials:

  • 用户使用oAuth登录Facebook .

  • 使用访问令牌,我假设IAM角色使用带有请求的 AmazonSecurityTokenServiceClient.AssumeRoleWithWebIdentity .

  • 这将返回看似有效凭据的内容,例如一个与我们的主密钥长度相似的AccessKeyId,SecretAccessKey .

using (var tokenServiceClient = new AmazonSecurityTokenServiceClient(RegionEndpoint.USEast1))
{
    var request = new AssumeRoleWithWebIdentityRequest
    {
        DurationSeconds = (int)TimeSpan.FromHours(1).TotalSeconds,
        ProviderId = "graph.facebook.com",
        RoleArn = "arn:aws:iam::193557284355:role/Facebook-OAuth",
        RoleSessionName = result.id,
        WebIdentityToken = FBClient.AccessToken
    };

    var response = tokenServiceClient.AssumeRoleWithWebIdentity(request);

    AWSAssumedRoleUser = response.AssumeRoleWithWebIdentityResult.AssumedRoleUser;
    AWSCredentials = response.AssumeRoleWithWebIdentityResult.Credentials;
}

How I use these credentials:

使用返回的凭据,然后我尝试访问 AWS DynamoDB 资源 .

using (var client = new AmazonDynamoDBClient(AWSCredentials.AccessKeyId, AWSCredentials.SecretAccessKey, AWSCredentials.SessionToken, RegionEndpoint.USEast1))
{
    var context = new DynamoDBContext(client);
    var data = context.Scan<SomeData>();    
}

在尝试 Scan 表时返回 "The remote server returned an error: (400) Bad Request." .

这是异常消息中的变化;如果我从上面省略 AWSCredentials.SessionToken AmazonDynamoDBClient

using (var client = new AmazonDynamoDBClient(AWSCredentials.AccessKeyId, AWSCredentials.SecretAccessKey, RegionEndpoint.USEast1))
{
    var context = new DynamoDBContext(client);
    var data = context.Scan<SomeData>();
}

在尝试 Scan 表时返回 "The security token included in the request is invalid." .

Question

在这一点上,我无法分辨出什么是错的,凭证无效或者我没有通过AWS所需的一切 .

任何人都可以提供任何有关错误或如何进一步调试的见解?

c# oauth amazon-web-services amazon-dynamodb

1 回答

  • 2

    我将我的问题交叉发布到AWS论坛,并收到了亚马逊工程师的答复 .

    https://forums.aws.amazon.com/message.jspa?messageID=465057

    DynamoDBContext 对象在目标表上调用 DescribeTable (并缓存此数据,因此为了获得最佳性能,您希望尽可能长时间地保持上下文对象,因此每个目标表只执行一次此调用) . 修改您的政策如下:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "dynamodb:BatchGetItem",
        "dynamodb:PutItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:UpdateItem",
        "dynamodb:DescribeTable"        
      ],
      "Sid": "Stmt1372350145000",
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}
    回复于

相关问题