如何使用Cognito IdentityPool为PowerShell中未经身份验证的角色获取临时AWS凭据?

kyvafyod  于 2023-03-12  发布在  Shell
关注(0)|答案(1)|浏览(110)

我正在编写一个PowerShell脚本,需要通过Cognito使用未经身份验证的角色访问AWS S3 bucket,但很难找到很多文档。我能找到的AWS PowerShell SDK的所有文档都讨论了如何存储AccessKey和SecretKey,但从未讨论过在不使用用户池时如何使用Cognito获取这些凭据。

powershell

1条答案

按热度按时间
8yoxcaq7

8yoxcaq71#

使用PowerShell可能还有其他方法(我还没有找到),但是您可以使用AWS的REST API通过Cognito获得临时凭据。
以下PowerShell示例说明如何:

  • 设置REST URL
  • 从Cognito身份提供程序获取ID
  • 使用收到的ID请求临时凭据(AccessKey将以AS开始,而不是AK)
  • 设置临时凭据

有关详细信息,请参阅:

function Get-CognitoRestURL {
    param(
        [parameter(Mandatory)]$Region
    )
    return  "https://cognito-identity.{0}.amazonaws.com/" -f $Region
}

function Get-AWSTempCredentials {
    param(
        [parameter(Mandatory)]$IdentityPoolId,
        [parameter(Mandatory)]$Region
    )

    try {
        $cognitoRestURL = Get-CognitoRestURL -Region $Region
        $requestTempId = Invoke-RestMethod -Uri $cognitoRestURL -Method "POST" `
        -Headers @{
            "authority"=$cognitoRestURL
            "x-amz-target"="AWSCognitoIdentityService.GetId"
            "x-amz-user-agent"="aws-powershell callback"
        } -ContentType "application/x-amz-json-1.1" -Body "{`"IdentityPoolId`":`"$($IdentityPoolId)`"}"
    } catch {
        Write-Error $_
        #Request failed, we don't have the data we need to continue
        break
    }
    try {
        $tempCredentials = Invoke-RestMethod -Uri $cognitoRestURL -Method "POST" `
        -Headers @{
            "x-amz-target"="AWSCognitoIdentityService.GetCredentialsForIdentity"
            "x-amz-user-agent"="aws-powershell callback"
        } -ContentType "application/x-amz-json-1.1" -Body "{`"IdentityId`":`"$($requestTempId.IdentityId)`"}"
    } catch {
        Write-Error $_
        #Request failed, we don't have the data we need to continue
        break
    }

    return $tempCredentials
}

function Set-AWSTempCredentials {
    param(
        [parameter(Mandatory)]$AccessKeyId,
        [parameter(Mandatory)]$SecretKey,
        [parameter(Mandatory)]$SessionToken,
        [parameter(Mandatory)]$ProfileName,
        [parameter(Mandatory)]$Region
    )

    Set-AWSCredential -AccessKey $AccessKeyId -SecretKey $SecretKey -SessionToken $SessionToken -StoreAs $ProfileName
    return Get-AWSCredential -ProfileName $ProfileName
}

$region = "us-west-1"
$IdentityPoolId = "us-west-1:12a01023-4567-123a-bcd1-12345a0b1abc"

$response = Get-AWSTempCredentials -IdentityPoolId $IdentityPoolId -Region $region 
Set-AWSTempCredentials -AccessKeyId $response.Credentials.AccessKeyId `
                       -SecretKey $response.Credentials.SecretKey `
                       -SessionToken $response.Credentials.SessionToken `
                       -ProfileName MyTempCredentials `
                       -Region $region
赞(0)分享  回复(0)举报  2023-03-12
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com