禁止访问角色“认知角色”

本文介绍了禁止访问角色“认知角色”的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我遇到这个奇怪的错误禁止访问角色认知角色。

I'm getting this strange error Access to Role 'cognito role' is forbidden.

在这里创建云形成堆栈时，这就是我的云形成

while creating a cloud formation stack here is my cloud formation file in yaml format.

我基本上是在创建s3存储桶和cognito身份，以方便客户端访问我的存储桶，除了此错误之外，整个工作正常， b $ b禁止访问角色 phototest-cognitoRole-1AMKUVXUXAJ5H。 （服务：AmazonCognitoIdentity;状态代码：400;错误代码：NotAuthorizedException

I'm basically creating a s3 bucket and a cognito identity to facilate client side access to my bucket the whole thing is working fine except this error Access to Role 'phototest-cognitoRole-1AMKUVXUXAJ5H' is forbidden. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException

AWSTemplateFormatVersion: 2010-09-09

资源：

photoBucket: Type: AWS::S3::Bucket Properties: BucketName: it-academy-photos-bucket CorsConfiguration: CorsRules: - AllowedHeaders: ['*'] AllowedMethods: [GET,POST,PUT] AllowedOrigins: ['*'] Id: myrules cognitoRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Federated: - "cognito-identity.amazonaws" Action: - sts:AssumeRoleWithWebIdentity Policies: - PolicyName: "photo_client_policy" PolicyDocument: Version: '2012-10-17' Statement: - Sid: VisualEditor1 Effect: Allow Action: - s3:PutObject - s3:GetObjectAcl - s3:GetObject - s3:GetObjectTorrent - s3:GetObjectVersionAcl - s3:PutObjectVersionTagging - s3:GetObjectTagging - s3:PutObjectTagging - s3:PutBucketCORS - s3:PutObjectAcl - s3:GetObjectVersion Resource: "*" cognitoIdentityPool: Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: "photo_bucket" AllowUnauthenticatedIdentities: true cognitoIdentityPoolRoleAttachment: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: !Ref cognitoIdentityPool Roles: unauthenticated: !Ref cognitoRole

推荐答案

我遇到了同样的问题，并且发现未经身份验证的角色需要Arn而不是逻辑ID。这应该可以解决问题：

I was having the same problem and figured out the unauthenticated role needs the Arn and not the logical ID. This should fix the issue:

cognitoIdentityPoolRoleAttachment: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: !Ref cognitoIdentityPool Roles: unauthenticated: !GetAtt cognitoRole.Arn