如何将用户添加到 AWS Cognito 用户池组？

Question

我正在使用 AWS Cognito 在我的 iOS APP (Swift) 中实现用户注册和登录。

当用户注册时，我想将该用户添加到已在我的 cognito 用户池中创建的指定用户池组中。

我已经尝试了下面的 swift 代码，但它似乎不起作用。

用户注册后，按[addToGroup]按钮加入名为[GroupA]的用户池组。

@IBAction func addToGroupButton(_ sender: Any) {
        let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
        request?.groupName = "GroupA"
        request?.userPoolId = "ap-northeast-1_8H0k*****"
        request?.username = eMailAdd

        let identityProvider = AWSCognitoIdentityProvider()
        identityProvider.adminAddUser(toGroup: request!).continueWith { (task) -> Any? in
            DispatchQueue.main.async(execute: {
                if let error = task.error {
                    print("\(error.localizedDescription)")
                }
            })
        }
    }

用户注册没有问题，我可以确认用户注册的信息。 但是，用户名只是没有出现在 GroupA 中。

谁能告诉我我的代码有什么问题？ 谢谢！！

Answer 1

我假设您遇到了一些错误，例如 AWSCognitoIdentityProviderErrorNotAuthorized。因为这是一个“管理员”API 调用，此处建议“需要开发人员凭据”[0]。

我建议您对您的凭据进行硬编码，以测试此 API 调用是否首先有效

AWSStaticCredentialsProvider *credentialsProvider = [AWSStaticCredentialsProvider credentialsWithAccessKey:"your-access-key" secretKey:"your-secret-key"];
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;

请注意，不要在生产环境中对您的凭据进行硬编码。

21/07/2019 更新：

let staticCredentialProvider = AWSStaticCredentialsProvider.init(accessKey: "yourAccessKey", secretKey: "yourSecretKey")
let configuration = AWSServiceConfiguration.init(region: .APSoutheast2, credentialsProvider: staticCredentialProvider)
AWSServiceManager.default()?.defaultServiceConfiguration = configuration

let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
request?.groupName = "GroupA"
request?.userPoolId = "ap-southeast-2_xxxxxxxxx"
request?.username = "yourUserName"


    AWSCognitoIdentityProvider.default().adminAddUser(toGroup: request!).continueWith { (task) -> Any? in
        DispatchQueue.main.async(execute: {
            if let error = task.error {
                print("\(error.localizedDescription)")
            }
        })
    }

我已经测试过了，上面的代码在我的测试环境中运行。我在这里列出以供您参考。下一步将尝试从代码库中删除硬编码凭证。可以使用 Cognito 身份池获取临时凭证，而不是使用 AWSStaticCredentialsProvider。我认为在获得足够许可的情况下，此流程无需开发人员凭据即可工作。

26/07/2019 更新：

// using Cognito userpool with identity pool, to provider credential to AWSServiceManager
let serviceConfiguration = AWSServiceConfiguration(region: .APSoutheast2, credentialsProvider: nil)
let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: "YourUserPoolClientId", clientSecret: "YourUserPoolClientSecret", poolId: "YourUserPoolId")
AWSCognitoIdentityUserPool.register(with: serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: "RandomStringForIdentifyingYourPoolWithinThisApp")
let pool = AWSCognitoIdentityUserPool(forKey: "RandomStringForIdentifyingYourPoolWithinThisApp")
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .APSoutheast2, identityPoolId: "YourIdentityPoolId", identityProviderManager:pool)

let configuration = AWSServiceConfiguration.init(region: .APSoutheast2, credentialsProvider: credentialsProvider)
AWSServiceManager.default()?.defaultServiceConfiguration = configuration

// sign in a user
pool.getUser("UserNameOfAUserInYourPool").getSession("UserNameOfAUserInYourPool", password: "PasswordOfAUserInYourPool", validationData: nil).continueWith { (task) -> Any? in
    if let error = task.error {
        print("user sign in error: \(error.localizedDescription)")
    } else {
        print("user session is: \(String(describing: task.result))")
    }

    // add a user to GroupA
    let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
    request?.groupName = "GroupA"
    request?.userPoolId = "YourUserPoolId"
    request?.username = "UserNameOfAUserInYourPool"

    return AWSCognitoIdentityProvider.default().adminAddUser(toGroup: request!)
    }.continueWith { (task) -> Any? in
        if let error = task.error {
            print("cannot add user to group \(error.localizedDescription)")
        }
}

就像我建议的那样，这是没有硬编码 AWS 凭证的解决方案。 Cognito 身份池在用户登录到 Cognito 用户池 [3] 后提供温度 AWS 凭证，从而启用“adminAddToGroup”API 调用。

除了上述代码，您还需要在 AWS 控制台或使用 AWS CLI 设置您的 Cognito 身份池。您可以在屏幕截图中找到详细信息。

您还需要为经过身份验证的用户创建一个身份验证 IAM 角色以代入。这是策略示例。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cognito-idp:AdminRemoveUserFromGroup",
                "cognito-idp:AdminAddUserToGroup"
            ],
            "Resource": "Your_userpool_ARN"
        }
    ]
}

参考： [0]https://aws-amplify.github.io/aws-sdk-ios/docs/reference/Classes/AWSCognitoIdentityProvider.html#//api/name/adminAddUserToGroup: [2]https://aws.amazon.com/blogs/mobile/how-amazon-cognito-keeps-mobile-app-users-data-safe/ [3]https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html