AWS JS SDK，IAM和DynamoDB问题-Java 学习之路

使用AWS JS SDK DynamoDB时出现此错误：

AccessDeniedException：User：arn：aws：its :: [accnt id]：assume-role / dynamoIntroRole / web-identity无权执行：dynamodb：PutItem on resource：arn：aws：dynamodb：us-west-2：[ accnt id]：table / websiteTest

这是我用过的HTML / JS：

<title>Insert title here</title>
</head>
<body>
<button id="login">Login</button>
<div id="fb-root"></div>

<script type="text/javascript">
var fbUserId;
var dynamodb = null; 
var appId = '120636118298132'; //from facebook
var roleArn = 'arn:aws:iam::[my account id deleted]:role/dynamoIntroRole'; //from AWS IAM

window.fbAsyncInit = function() {
	FB.init({appId : appId});
	
	document.getElementById('login').onclick = function(){
		
	FB.login(function (response)  
	{
		if(response.authResponse)
		{
			AWS.config.credentials = new AWS.WebIdentityCredentials({ //WIF
				RoleArn: roleArn,
				ProviderId: 'graph.facebook.com',
				WebIdentityToken: response.authResponse.accessToken
			});
			
			var dynamodb = new AWS.DynamoDB({ region: 'us-west-2' });
			var docClient = new AWS.DynamoDB.DocumentClient({ service: dynamodb });
			console.log("You're now logged in.");
			var params = {
					TableName: 'websiteTest',
				    Item: {
				        itemID:'lkjljljlkjlkjlkjlkjlkj',
				        f2:'kjhkjhkjhkjhkjhkjhkjhkjhkjh'
				    } 
				};
				docClient.put(params, function(err, data){
				    if (err) console.log(err);
				    else console.log(data);
				});
		}
		else
			{
			console.log("Issue logging in");
			}
		
	}); //end fb login
	
		};
	};
	// Load the FB JS SDK asynchronously
	(function(d, s, id){
	   var js, fjs = d.getElementsByTagName(s)[0];
	   if (d.getElementById(id)) {return;}
	   js = d.createElement(s); js.id = id;
	   js.src = "//connect.facebook.net/en_US/all.js";
	   fjs.parentNode.insertBefore(js, fjs);
	 }(document, 'script', 'facebook-jssdk'));
</script>

</body>

以下是我附加到所使用角色的IAM策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-west-2:[my account deleted]:table/websiteTest"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${graph.facebook.com:id}"
                    ]
                }
            }
        }
    ]
}

我错过了什么？

2 回答

我已经测试了你的HTML代码，它正在运行 . 您的IAM策略设置方式可能是 AccessDeniedException 的原因 . 我建议在浏览器中使用AWS SDK for JavaScript中规定的格式>创建IAM角色以分配通过Facebook登录的用户（http://aws.amazon.com/developers/getting-started/browser/） . 这对我有用 . 我希望它有所帮助 .

我的IAM政策是：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bookdashjs/facebook-${graph.facebook.com:id}/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bookdashjs"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "s3:prefix": "facebook-${graph.facebook.com:id}"
                }
            }
        }
    ]
}

回复于 2024-04-18T16:08:48+08:00

5
您遇到的问题与IAM策略中指定的条件有关 . 它目前指定了细粒度的访问控制 .
```
"Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${graph.facebook.com:id}"
                ]
            }
        }
```
该条件要求分区键与使用的Facebook ID匹配 . 如果您没有指定的分区键，则会抛出AccessDeniedException .

因此，您需要创建一个以Facebook id作为分区键的表，或者从IAM策略中删除条件 . 另请注意，分区键必须是字符串才能使用细粒度的访问控制 .

资源：

Fine-Grained Access Control for DynamoDB

Example Policies for Fine-Grained Access Control
回复于 2024-04-18T16:08:48+08:00

AWS JS SDK，IAM和DynamoDB问题

2 回答

相关问题