问题
I want to invoke a Lambda function using the Javascript API.
I want it to be invoked with the cognito userpool credentials of the user who is authenticated on the browser.
The objective is that the Lambda function will have the same level of access to S3 as the user from the cognito userpool.
How can I do this?
thanks
回答1:
You can do that by federating user pool token with Cognito federated identity, this will give you temporary AWS credentials to call AWS Lambda function. You will need to create an identity pool and create a role with permission lambda:InvokeFunction.
Also keep in mind that, all the users of user pool will be able to call lambda function if you choose authentication role based resolution, if you want to restrict it to subset of users, you can use groups in user pools and token or rule based mapping in federated identities to determine the role.
回答2:
Reference: http://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html
You will need these three packages:
<script src="js/aws-cognito-sdk.min.js"></script>
<script src="js/amazon-cognito-identity.min.js"></script>
<script src="js/aws-sdk.min.js"></script>
Once you login using Cognito, you can invoke Lambda function like this:
function invokeMyLambda()
{
if(!objCognitoUser) syncAwsFromCognito();
var lambda = new AWS.Lambda({region: 'us-east-1', apiVersion: '2015-03-31'});
// create JSON object for service call parameters
var pullParams = {
FunctionName : 'myLambFunctionName',
InvocationType : 'RequestResponse', // Event | RequestResponse | DryRun
LogType : 'None',
Payload : JSON.stringify({ "yourKeyName": "Key Value to pass to the function in Event Object"}),
};
// invoke Lambda function, passing JSON object
lambda.invoke(pullParams, function(err, data) {
if (err) {
console.log(err);
} else {
console.log(data);
alert("Success: " + JSON.stringify(data));
}
});
lambda = null;
}
function syncAwsFromCognito() {
// objCognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
if(!objCognitoUser) {
objCognitoUser = objUserPool.getCurrentUser();
}
if (objCognitoUser) {
objCognitoUser.getSession(function(err, result) {
if (result) {
if(AWS.config.credentials == null) // Refresh AWS Config credentials
AWS.config.credentials = new AWS.CognitoIdentityCredentials(jsonUserCreds);
AWS.config.credentials.params.Logins[strConfUserPoolID] = result.idToken.jwtToken;
}
});
//call refresh method in order to authenticate user and get new temp credentials
AWS.config.credentials.refresh( function (error) {
if (error) {
console.log('syncAwsFromCognito', error);
}
});
}
else
alert("Session expired. Login again");
}
You can make S3 call directly from Javascript as well after Cognito authentication in done. I'll prefer to use REST API with API Gateway instead of direct Lambda function call from the browser. Thats because the Lambda function call relies on TokenID which is valid for an hour even if you logout using Cognito SDK.
来源:https://stackoverflow.com/questions/42619395/is-it-possible-to-invoke-a-lambda-function-with-a-cognito-userpool-identity