AWS JS SDK, IAM and DynamoDB Issue
AWS JS SDK, IAM and DynamoDB Issue
使用AWS JS SDK+DynamoDB:时出现此错误
AccessDeniedException:用户:arn:aws:its::[accnt id]:假定的角色/发电机IntroRole/web标识未被授权执行:资源上的发电机db:PutItem:arn:aws:发电机db:us-west-2:[accnt id]:表/websiteTest
这是我使用过的HTML/JS:
<title>Insert title here</title>
</head>
<body>
<button id="login">Login</button>
<div id="fb-root"></div>
<script type="text/javascript">
var fbUserId;
var dynamodb = null;
var appId = '120636118298132'; //from facebook
var roleArn = 'arn:aws:iam::[my account id deleted]:role/dynamoIntroRole'; //from AWS IAM
window.fbAsyncInit = function() {
FB.init({appId : appId});
document.getElementById('login').onclick = function(){
FB.login(function (response)
{
if(response.authResponse)
{
AWS.config.credentials = new AWS.WebIdentityCredentials({ //WIF
RoleArn: roleArn,
ProviderId: 'graph.facebook.com',
WebIdentityToken: response.authResponse.accessToken
});
var dynamodb = new AWS.DynamoDB({ region: 'us-west-2' });
var docClient = new AWS.DynamoDB.DocumentClient({ service: dynamodb });
console.log("You're now logged in.");
var params = {
TableName: 'websiteTest',
Item: {
itemID:'lkjljljlkjlkjlkjlkjlkj',
f2:'kjhkjhkjhkjhkjhkjhkjhkjhkjh'
}
};
docClient.put(params, function(err, data){
if (err) console.log(err);
else console.log(data);
});
}
else
{
console.log("Issue logging in");
}
}); //end fb login
};
};
// Load the FB JS SDK asynchronously
(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
</body>
以下是我附加到所用角色的IAM策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:[my account deleted]:table/websiteTest"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${graph.facebook.com:id}"
]
}
}
}
]
}
我错过了什么?
您遇到的问题与IAM策略中指定的条件有关。它当前指定了细粒度的访问控制。
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${graph.facebook.com:id}"
]
}
}
该条件要求分区密钥与使用的Facebook id匹配。如果您没有指定的分区键,那么它将抛出AccessDeniedException。
因此,您需要创建一个以Facebook id作为分区键的表,或者从IAM策略中删除该条件。还要注意,分区键需要是一个字符串,以便使用细粒度访问控制。
资源:
DynamoDB 的细粒度访问控制
细粒度访问控制的策略示例
我已经测试了您的HTML代码,它正在工作。IAM策略的设置方式可能是AccessDeniedException
的原因。我建议遵循AWS SDK中为浏览器中的JavaScript规定的格式>创建IAM角色以分配通过Facebook登录的用户(http://aws.amazon.com/developers/getting-started/browser/)。这对我很有效。我希望它能有所帮助。
我的IAM政策是:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bookdashjs/facebook-${graph.facebook.com:id}/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bookdashjs"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"s3:prefix": "facebook-${graph.facebook.com:id}"
}
}
}
]
}
相关文章:
- Selenium WebDriver and JavaScript change
- 使用DynamoDB查询返回
- PHP and Javascript functions
- Javascript Return and if/else
- SetTimeout and clearTimeout in Javascript
- lightbox in html 5 and javascript
- TimelineJS and AngularJS
- timeago.js with datatable and PHP
- javascript button ajax and php
- Ajax and Json with Rails
- Combine onload, onresize and onclick
- php布尔值's小写AND大写和数字布尔值'可以接受
- setTimeout and V8
- DynamoDB本地PutItem中的布尔字段
- Jquery post and onclick
- DynamoDB Vogels中索引字符串集的ValidationException
- Moment js and IOS
- Rails 3.2 and Paloma gem
- Amazon DynamoDB and AngularJS
- AWS JS SDK, IAM and DynamoDB Issue