How do I obtain temporary AWS credentials for an unauthenticated role in PowerShell using a Cognito IdentityPool?

huangapple go评论61阅读模式
英文:

How do I obtain temporary AWS credentials for an unauthenticated role in PowerShell using a Cognito IdentityPool?

问题

我正在编写一个需要通过Cognito使用未经身份验证的角色访问AWS S3存储桶的PowerShell脚本,并且在查找文档时遇到了困难。我能找到的所有AWS PowerShell SDK的文档都讨论了如何存储AccessKey和SecretKey,但从未讨论过在没有使用用户池时如何使用Cognito获取这些凭据。

英文:

I was writing a PowerShell script that needed to access an AWS S3 bucket using an unauthenticated role via Cognito and had trouble finding much documentation. All of the documentation I was able to find for the AWS PowerShell SDK discussed storing your AccessKey and SecretKey but never how to get those credentials using Cognito when you aren't using a user pool.

答案1

得分: 0

以下是翻译的代码部分:

可能有其他使用PowerShell的方法(我还没有找到它们)。但您可以通过AWS的REST API使用Cognito获取临时凭据。

以下是PowerShell示例显示如何进行操作:

 - 设置您的REST URL
 - 从Cognito身份提供者获取ID
 - 使用接收的ID请求临时凭据(AccessKey将以AS开头而不是AK)
 - 设置临时凭据

有关更多信息,请参见:
 - [AWS API获取凭据][1]
 - [AWS API GetCredentialsForIdentity][2]
 - [AWS API GetId][3]

希望这对您有帮助!如果您有任何其他问题,请随时提出。

英文:

There may be other ways to do this with PowerShell (I haven't been able to find them yet.) but you can obtain temporary credentials through Cognito using AWS's REST API.

The following PowerShell example shows how to:

  • Set your REST URL
  • Get an id from the Cognito Identity provider
  • Use the received id to request temporary credentials (AccessKey will begin with AS instead of AK)
  • Set the temporary credentials

For more information see:

#Ensure we communicate using TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
function Get-CognitoRestURL {
    param(
        [parameter(Mandatory)]$Region
    )
    return  "https://cognito-identity.{0}.amazonaws.com/" -f $Region
}

function Get-AWSTempCredentials {
    param(
        [parameter(Mandatory)]$IdentityPoolId,
        [parameter(Mandatory)]$Region
    )

    try {
        $cognitoRestURL = Get-CognitoRestURL -Region $Region
        $requestTempId = Invoke-RestMethod -Uri $cognitoRestURL -Method "POST" `
        -Headers @{
            "authority"=$cognitoRestURL
            "x-amz-target"="AWSCognitoIdentityService.GetId"
            "x-amz-user-agent"="aws-powershell callback"
        } -ContentType "application/x-amz-json-1.1" -Body "{`"IdentityPoolId`":`"$($IdentityPoolId)`"}"
    } catch {
        Write-Error $_
        #Request failed, we don't have the data we need to continue
        break
    }
    try {
        $tempCredentials = Invoke-RestMethod -Uri $cognitoRestURL -Method "POST" `
        -Headers @{
            "x-amz-target"="AWSCognitoIdentityService.GetCredentialsForIdentity"
            "x-amz-user-agent"="aws-powershell callback"
        } -ContentType "application/x-amz-json-1.1" -Body "{`"IdentityId`":`"$($requestTempId.IdentityId)`"}"
    } catch {
        Write-Error $_
        #Request failed, we don't have the data we need to continue
        break
    }

    return $tempCredentials
}

function Set-AWSTempCredentials {
    param(
        [parameter(Mandatory)]$AccessKeyId,
        [parameter(Mandatory)]$SecretKey,
        [parameter(Mandatory)]$SessionToken,
        [parameter(Mandatory)]$ProfileName,
        [parameter(Mandatory)]$Region
    )

    Set-AWSCredential -AccessKey $AccessKeyId -SecretKey $SecretKey -SessionToken $SessionToken -StoreAs $ProfileName
    return Get-AWSCredential -ProfileName $ProfileName
}

$region = "us-west-1"
$IdentityPoolId = "us-west-1:12a01023-4567-123a-bcd1-12345a0b1abc"

$response = Get-AWSTempCredentials -IdentityPoolId $IdentityPoolId -Region $region 
Set-AWSTempCredentials -AccessKeyId $response.Credentials.AccessKeyId `
                       -SecretKey $response.Credentials.SecretKey `
                       -SessionToken $response.Credentials.SessionToken `
                       -ProfileName MyTempCredentials `
                       -Region $region

huangapple
  • 本文由 发表于 2023年2月16日 03:00:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/75464351.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定