我正在通过AWS的Android SDK示例代码 . 我有S3_WIF_PersonalFileStore工作 . 但我有一个错误,我无法在DynamoDB_WIF_UserPreference示例中修复 . 我认为问题在于信任关系 . 但我正在使用相同的值,并进行适当的值更改,作为我的工作S3_WIF_PersonalFileStore .
我的代码成功 Build 了与Facebook的会话,然后抛出以下错误:
04-03 09:42:15.949:E /(5161):com.amazonaws.AmazonServiceException:状态代码:403,AWS服务:AWSSecurityTokenService,AWS请求ID:c41b700e-bb35-11e3-94ad-830da8959736,AWS错误代码:AccessDenied ,AWS错误消息:未授权执行sts:AssumeRoleWithWebIdentity
wif.refresh() throws this error.
我非常感谢有关如何进一步诊断此问题的任何想法 .
谢谢
杰夫
来自IAM控制台 My Trust Relationship Policy :
{“Version”:“2012-10-17”,“Statement”:[{“Sid”:“”,“Effect”:“Allow”,“Principal”:{“Federated”:“graph.facebook.com” },“Action”:“sts:AssumeRoleWithWebIdentity”,“Condition”:{“StringEquals”:{“graph.facebook.com:app_id”:“486879244768576”}}}}}
来自IAM控制台的 My Role Permissions Policy {"Version":"2012-10-17","Statement":[{_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
strings.xml中的相关值:486879244768576 arn:aws:iam :: 532776582086:role / DynamoFbUserPrefExample
My code wif.refresh() 抛出错误 . 除了添加一些日志记录之外,我正在运行AWS的示例代码 .
package com.amazonaws.demo.userpreferences;
import android.app.Activity;
import android.content.SharedPreferences;
import android.os.AsyncTask;
import android.os.Bundle;
import android.util.Log;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.WebIdentityFederationSessionCredentialsProvider;
import com.amazonaws.regions.Region;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient;
/**
* This class is used to get clients to the various AWS services. Before
* accessing a client the credentials should be checked to ensure validity.
*/
public class AmazonClientManager {
private static final String LOG_TAG = "AmazonClientManager";
private AmazonDynamoDBClient ddb = null;
private SharedPreferences sharedPreferences = null;
private WebIdentityFederationSessionCredentialsProvider wif = null;
private WIFIdentityProvider idp = null;
private String fbRoleARN = null;
private String googleRoleARN = null;
private String amazonRoleARN = null;
private String googleClientID = null;
public AmazonClientManager(SharedPreferences settings, Bundle bundle) {
this.sharedPreferences = settings;
if(PropertyLoader.getInstance().hasCredentials()){
this.initWithEmbeddedCredentials();
}
fbRoleARN = bundle.getString("FBRoleARN");
googleRoleARN = bundle.getString("GoogleRoleARN");
amazonRoleARN = bundle.getString("AMZNRoleARN");
googleClientID = bundle.getString("GoogleClientID");
}
public AmazonDynamoDBClient ddb() {
return ddb;
}
public boolean hasCredentials() {
if (PropertyLoader.getInstance().hasCredentials()){
return true;
}
return !(fbRoleARN.equals("ROLE_ARN") && googleRoleARN.equals("ROLE_ARN") && amazonRoleARN.equals("ROLE_ARN"));
}
public boolean isLoggedIn() {
return ( ddb != null );
}
public void clearCredentials() {
synchronized (this) {
AmazonSharedPreferencesWrapper.wipe(this.sharedPreferences);
ddb = null;
}
}
public boolean wipeCredentialsOnAuthError(AmazonServiceException ex) {
if (
// STS
// http://docs.amazonwebservices.com/STS/latest/APIReference/CommonErrors.html
ex.getErrorCode().equals("IncompleteSignature")
|| ex.getErrorCode().equals("InternalFailure")
|| ex.getErrorCode().equals("InvalidClientTokenId")
|| ex.getErrorCode().equals("OptInRequired")
|| ex.getErrorCode().equals("RequestExpired")
|| ex.getErrorCode().equals("ServiceUnavailable")
// DynamoDB
// http://docs.amazonwebservices.com/amazondynamodb/latest/developerguide/ErrorHandling.html#APIErrorTypes
|| ex.getErrorCode().equals("AccessDeniedException")
|| ex.getErrorCode().equals("IncompleteSignatureException")
|| ex.getErrorCode().equals(
"MissingAuthenticationTokenException")
|| ex.getErrorCode().equals("ValidationException")
|| ex.getErrorCode().equals("InternalFailure")
|| ex.getErrorCode().equals("InternalServerError")) {
clearCredentials();
return true;
}
return false;
}
public void login( WIFIdentityProvider wifIDP, final AlertActivity activity ) {
idp = wifIDP;
Log.i(LOG_TAG,"token: "+idp.getToken());
Log.i(LOG_TAG,"provider: "+idp.getProviderID());
Log.i(LOG_TAG,"arn: "+idp.getRoleARN());
wif = new WebIdentityFederationSessionCredentialsProvider(idp.getToken(),idp.getProviderID(), idp.getRoleARN());
//call refresh to login from an AsyncTask because refreshing requires the network
new AsyncTask<Void, Void, Throwable>() {
@Override
protected Throwable doInBackground(Void... arg0) {
try {
wif.refresh(); // ERROR ORIGINATES HERE
} catch (Throwable t) {
return t;
}
return null;
}
@Override
protected void onPostExecute(Throwable t) {
if (t != null) {
Log.e(LOG_TAG, "Unable to login.", t);
activity.setResult(Activity.RESULT_CANCELED);
activity.setStackAndPost(t);
} else {
ddb = new AmazonDynamoDBClient( wif );
ddb.setRegion(Region.getRegion(Regions.US_WEST_2));
AmazonSharedPreferencesWrapper.storeUsername(sharedPreferences, wif.getSubjectFromWIF());
Log.d(LOG_TAG, "Logged in with user id " + wif.getSubjectFromWIF());
activity.setResult(Activity.RESULT_OK);
}
activity.finish();
}
}.execute();
}
private void initWithEmbeddedCredentials(){
if (ddb == null){
AWSCredentials credentials = new BasicAWSCredentials( PropertyLoader.getInstance().getAccessKeyID(), PropertyLoader.getInstance().getSecretKey());
ddb = new AmazonDynamoDBClient( credentials );
ddb.setRegion(Region.getRegion(Regions.US_WEST_2));
Log.d(LOG_TAG, "Logged in with embedded credentials");
}
}
public String getUsername() {
return AmazonSharedPreferencesWrapper.getUsername( this.sharedPreferences );
}
public String getAmazonRoleARN() {
return amazonRoleARN;
}
public String getGoogleRoleARN() {
return googleRoleARN;
}
public String getFacebookRoleARN() {
return fbRoleARN;
}
public String getGoogleClientID() {
return googleClientID;
}
public void wipe() {
AmazonSharedPreferencesWrapper.wipe( this.sharedPreferences );
}
}