unauthRole/CognitoIdentityCredentials 无权执行：geo:ListGeofences

Question

我正在尝试使用 AWS 开发工具包访问 Location 对象。

location.batchUpdateDevicePosition 工作正常。

但是location.listGeofences 抱怨CognitoIdentityCredentials is not authorized to perform: geo:ListGeofences on resource: arn:aws:geo:us-west-2::*

geo:ListGeofences已经在角色策略里了，为什么还在报怨？

有什么想法吗？

#policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "geo:*",
            "Resource": "*"
        },
        {
            "Sid": "GetDevicePositions",
            "Effect": "Allow",
            "Action": [
                "geo:ListGeofences",
                "geo:BatchGetDevicePosition",
                "geo:GetDevicePosition",
                "geo:GetDevicePositionHistory"
            ],
            "Resource": "*"
        }
    ]
}

import Amplify, {Auth, PubSub} from 'aws-amplify';
import awsconfig from '../aws-exports';
import AWS from 'aws-sdk';
import Location from 'aws-sdk/clients/location';

Amplify.configure(awsconfig);
 Auth.currentCredentials().then(credentials => {
        console.log(Auth.essentialCredentials(credentials));
        console.log(AWS);
        const location = new Location({
            region: awsconfig.aws_project_region,
            credentials: Auth.essentialCredentials(credentials),
        });

        const updateDevicePosition = new Promise((resolve, reject) => {
            console.log({ params });
            location.batchUpdateDevicePosition(params, function (err, data) {
                if (err) {
                    console.log(err, err.stack); // an error occurred
                    reject(err);
                } else {
                    console.log('->>>>>TRACKER: ', data);
                    resolve(data);
                }           // successful response
            });
        });

        const listGeofences = new Promise((resolve, reject) => {
            location.listGeofences({CollectionName: 'explore.geofence-collection'}, (err, data) => {
                if (err) {
                    console.log(err, err.stack); // an error occurred
                    reject(err);
                } else {
                    console.log('listGeofences: ', data);
                    resolve(data);
                } // successful response
            });
        });

        listGeofences.then(()=>console.log('LIST'))
        updateDevicePosition.then(() => {
            console.log('complete');
        });

    });

Answer 1

我也遇到了同样的问题，我什至在 SO 中开了一个类似的帖子。

这样做的问题是未经授权的用户无法使用大多数服务操作。

AWS 在文档中这样说：

You can use IAM policies associated with unauthenticated identity roles with the following actions:

geo:GetMap*

geo:SearchPlaceIndex*

geo:BatchUpdateDevicePosition

geo:CalculateRoute

Including other Amazon Location actions will have no effect, and unauthenticated identities will be unable to call them.

这是在以下链接中指定的： https://docs.aws.amazon.com/location/latest/developerguide/authenticating-using-cognito.html

因此，如果您想使用该特定操作以及其他操作，则必须通过联合身份进行操作： https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-with-identity-pools.html