使用AWS JS SDK DynamoDB时出现此错误:
AccessDeniedException:User:arn:aws:its :: [accnt id]:assume-role / dynamoIntroRole / web-identity无权执行:dynamodb:PutItem on resource:arn:aws:dynamodb:us-west-2:[ accnt id]:table / websiteTest
这是我用过的HTML / JS:
<title>Insert title here</title>
</head>
<body>
<button id="login">Login</button>
<div id="fb-root"></div>
<script type="text/javascript">
var fbUserId;
var dynamodb = null;
var appId = '120636118298132'; //from facebook
var roleArn = 'arn:aws:iam::[my account id deleted]:role/dynamoIntroRole'; //from AWS IAM
window.fbAsyncInit = function() {
FB.init({appId : appId});
document.getElementById('login').onclick = function(){
FB.login(function (response)
{
if(response.authResponse)
{
AWS.config.credentials = new AWS.WebIdentityCredentials({ //WIF
RoleArn: roleArn,
ProviderId: 'graph.facebook.com',
WebIdentityToken: response.authResponse.accessToken
});
var dynamodb = new AWS.DynamoDB({ region: 'us-west-2' });
var docClient = new AWS.DynamoDB.DocumentClient({ service: dynamodb });
console.log("You're now logged in.");
var params = {
TableName: 'websiteTest',
Item: {
itemID:'lkjljljlkjlkjlkjlkjlkj',
f2:'kjhkjhkjhkjhkjhkjhkjhkjhkjh'
}
};
docClient.put(params, function(err, data){
if (err) console.log(err);
else console.log(data);
});
}
else
{
console.log("Issue logging in");
}
}); //end fb login
};
};
// Load the FB JS SDK asynchronously
(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
</body>
以下是我附加到所使用角色的IAM策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:[my account deleted]:table/websiteTest"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${graph.facebook.com:id}"
]
}
}
}
]
}
我错过了什么?
2 回答
我已经测试了你的HTML代码,它正在运行 . 您的IAM策略设置方式可能是
AccessDeniedException
的原因 . 我建议在浏览器中使用AWS SDK for JavaScript中规定的格式>创建IAM角色以分配通过Facebook登录的用户(http://aws.amazon.com/developers/getting-started/browser/) . 这对我有用 . 我希望它有所帮助 .我的IAM政策是:
您遇到的问题与IAM策略中指定的条件有关 . 它目前指定了细粒度的访问控制 .
该条件要求分区键与使用的Facebook ID匹配 . 如果您没有指定的分区键,则会抛出AccessDeniedException .
因此,您需要创建一个以Facebook id作为分区键的表,或者从IAM策略中删除条件 . 另请注意,分区键必须是字符串才能使用细粒度的访问控制 .
资源:
Fine-Grained Access Control for DynamoDB
Example Policies for Fine-Grained Access Control