Simple DB policy being ignored?

StackOverflow https://stackoverflow.com/questions/18666165

Вопрос

I'm trying to use AWS IAM to generate temporary tokens for a mobile app. I'm using the AWS C# SDK.

Here's my code...

The token generating service

public string GetIAMKey(string deviceId)
    {
        //fetch IAM key...

        var credentials = new BasicAWSCredentials("MyKey", "MyAccessId");

        var sts = new AmazonSecurityTokenServiceClient(credentials);

        var tokenRequest = new GetFederationTokenRequest();
        tokenRequest.Name = deviceId;
        tokenRequest.Policy = File.ReadAllText(HostingEnvironment.MapPath("~/policy.txt"));
        tokenRequest.DurationSeconds = 129600;

        var tokenResult = sts.GetFederationToken(tokenRequest);

        var details = new IAMDetails { SessionToken = tokenResult.GetFederationTokenResult.Credentials.SessionToken, AccessKeyId = tokenResult.GetFederationTokenResult.Credentials.AccessKeyId, SecretAccessKey = tokenResult.GetFederationTokenResult.Credentials.SecretAccessKey, };

        return JsonConvert.SerializeObject(details);
    }

The client

var iamkey = Storage.LoadPersistent<IAMDetails>("iamkey");

        var simpleDBClient = new AmazonSimpleDBClient(iamkey.AccessKeyId, iamkey.SecretAccessKey, iamkey.SessionToken);

        try
        {
            var details = await simpleDBClient.SelectAsync(new SelectRequest { SelectExpression = "select * from mydomain" });

            return null;
        }
        catch (Exception ex)
        {
            Storage.ClearPersistent("iamkey");
        }

The policy file contents

{ "Statement":[{ "Effect":"Allow", "Action":"sdb:* ", "Resource":"arn:aws:sdb:eu-west-1:* :domain/mydomain*" } ]}

I keep getting the following error...

User (arn:aws:sts::myaccountid:federated-user/654321) does not have permission to perform (sdb:Select) on resource (arn:aws:sdb:us-east-1:myaccountid:domain/mydomain)

Notice that my policy file clearly specifies two things

  1. region should be eu-west-1
  2. allowed action is a wild-card, ie, allow everything

But the exception thrown claims that my user doesn't have permission to us-east-1

Any ideas as to why I'm getting this error?

Это было полезно?

Решение

Ok figured it out.

You have to set the region endpoint on your call to the service from the client.

So 

var simpleDBClient = new AmazonSimpleDBClient(iamkey.AccessKeyId, iamkey.SecretAccessKey, iamkey.SessionToken, Amazon.RegionEndpoint.EUWest1);
Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top