https://docs.aws.amazon.com/ja_jp/cognito/latest/developerguide/tutorial-create-identity-pool.html
ルールベースでのIAMロール選択の動作確認
2種類のユーザを作成し、一方はec2全権限ロール、もう一方はS3全権限ロールを割り当てる
role01 → デフォルトauthenticated
role02 → デフォルトunauthenticated
role03 → AmazonEC2FullAccess
role04 → AmazonS3FullAccess
user01 → emailに@example.comが含まれる → role03 (EC2権限)
user02 → emailに@example.co.jpが含まれる → role04 (S3権限)
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 1.2 jqインストール
sudo yum -y install jq
-- 2. ユーザプールの作成
-- 2.1 ユーザプールの作成
aws cognito-idp create-user-pool \
--pool-name pool01 \
--policies '{
"PasswordPolicy": {
"MinimumLength": 8,
"RequireUppercase": true,
"RequireLowercase": true,
"RequireNumbers": true,
"RequireSymbols": true,
"TemporaryPasswordValidityDays": 7
}
}' \
--auto-verified-attributes ' [
"email"
]'
aws cognito-idp list-user-pools \
--max-results 10
aws cognito-idp describe-user-pool \
--user-pool-id ap-northeast-1_xxxxxxxxx
-- 2.2 アプリクライアントの作成
aws cognito-idp create-user-pool-client \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--client-name clinet01 \
--no-generate-secret \
--refresh-token-validity 30 \
--access-token-validity 60 \
--id-token-validity 60 \
--token-validity-units ' {
"AccessToken": "minutes",
"IdToken": "minutes",
"RefreshToken": "days"
}' \
--explicit-auth-flows '[
"ALLOW_ADMIN_USER_PASSWORD_AUTH",
"ALLOW_CUSTOM_AUTH",
"ALLOW_REFRESH_TOKEN_AUTH",
"ALLOW_USER_SRP_AUTH"
]' \
--read-attributes '[
"address",
"birthdate",
"email",
"email_verified",
"family_name",
"gender",
"given_name",
"locale",
"middle_name",
"name",
"nickname",
"phone_number",
"phone_number_verified",
"picture",
"preferred_username",
"profile",
"updated_at",
"website",
"zoneinfo"
]' \
--write-attributes '[
"address",
"birthdate",
"email",
"family_name",
"gender",
"given_name",
"locale",
"middle_name",
"name",
"nickname",
"phone_number",
"picture",
"preferred_username",
"profile",
"updated_at",
"website",
"zoneinfo"
]' \
--prevent-user-existence-errors ENABLED
aws cognito-idp list-user-pool-clients \
--user-pool-id ap-northeast-1_xxxxxxxxx
aws cognito-idp describe-user-pool-client \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--client-id 11111111111111111111111111
-- 2.3 ユーザの作成
aws cognito-idp admin-create-user \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user01 \
--user-attributes '[
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "email",
"Value": "hoge@example.com"
}
]'
aws cognito-idp admin-create-user \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user02 \
--user-attributes '[
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "email",
"Value": "fuga@example.co.jp"
}
]'
aws cognito-idp list-users \
--user-pool-id ap-northeast-1_xxxxxxxxx
aws cognito-idp admin-get-user \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user01
aws cognito-idp admin-get-user \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user02
-- 2.4 ユーザにパスワードを設定
aws cognito-idp admin-get-user \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user01
aws cognito-idp admin-set-user-password \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user01 \
--password 'password' \
--permanent
aws cognito-idp admin-get-user \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user01
aws cognito-idp admin-get-user \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user02
aws cognito-idp admin-set-user-password \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user02 \
--password 'password' \
--permanent
aws cognito-idp admin-get-user \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--username user02
-- 3. IDプールの作成
aws cognito-identity create-identity-pool \
--identity-pool-name id_pool01 \
--allow-unauthenticated-identities \
--no-allow-classic-flow
aws cognito-identity list-identity-pools \
--max-results 10
aws cognito-identity describe-identity-pool \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222
-- 4. IDプールで使用するロールの作成
role01 → デフォルトauthenticated
role02 → デフォルトunauthenticated
role03 → AmazonEC2FullAccess
role04 → AmazonS3FullAccess
-- 4.1 IAMポリシー作成
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
}
]
}
aws iam create-policy \
--policy-name policy01 \
--policy-document file://policy01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": [
"*"
]
}
]
}
aws iam create-policy \
--policy-name policy02 \
--policy-document file://policy02.json
-- 4.2 IAMロール作成
vim role01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "ap-northeast-1:22222222-2222-2222-2222-222222222222"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "ap-northeast-1:22222222-2222-2222-2222-222222222222"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
aws iam create-role \
--role-name role02 \
--assume-role-policy-document file://role02.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "ap-northeast-1:22222222-2222-2222-2222-222222222222"
}
}
}
]
}
aws iam create-role \
--role-name role03 \
--assume-role-policy-document file://role03.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "ap-northeast-1:22222222-2222-2222-2222-222222222222"
}
}
}
]
}
aws iam create-role \
--role-name role04 \
--assume-role-policy-document file://role04.json
-- 4.3 ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01 \
--role-name role01
aws iam attach-role-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy02 \
--role-name role02
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess \
--role-name role03
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess \
--role-name role04
-- 5. IDプールのデフォルトロール設定
aws cognito-identity get-identity-pool-roles \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222
aws cognito-identity set-identity-pool-roles \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222 \
--roles '{
"authenticated": "arn:aws:iam::999999999999:role/role01",
"unauthenticated": "arn:aws:iam::999999999999:role/role02"
}'
-- 6. 認証プロバイダーの設定
認証プロバイダーとしてユーザープールを設定
aws cognito-identity describe-identity-pool \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222
aws cognito-identity update-identity-pool \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222 \
--identity-pool-name id_pool01 \
--allow-unauthenticated-identities \
--cognito-identity-providers '[
{
"ProviderName": "cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxxxxxxx",
"ClientId": "11111111111111111111111111",
"ServerSideTokenCheck": false
}
]'
-- 7. Cognito IDプールにルールベースでIAM Roleを割り当てる設定をする
aws cognito-identity get-identity-pool-roles \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222
aws cognito-identity set-identity-pool-roles \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222 \
--roles '{
"authenticated": "arn:aws:iam::999999999999:role/role01",
"unauthenticated": "arn:aws:iam::999999999999:role/role02"
}' \
--role-mappings '{
"cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxxxxxxx:11111111111111111111111111": {
"Type": "Rules",
"AmbiguousRoleResolution": "AuthenticatedRole",
"RulesConfiguration": {
"Rules": [
{
"Claim": "email",
"MatchType": "Contains",
"Value": "@example.com",
"RoleARN": "arn:aws:iam::999999999999:role/role03"
},
{
"Claim": "email",
"MatchType": "Contains",
"Value": "@example.co.jp",
"RoleARN": "arn:aws:iam::999999999999:role/role04"
}
]
}
}
}'
-- 8. ルールベースで一時クレデンシャルキーを発行
idtoken=$(aws cognito-idp admin-initiate-auth \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--client-id 11111111111111111111111111 \
--auth-flow ADMIN_NO_SRP_AUTH \
--auth-parameters USERNAME=user01,PASSWORD='password' | jq -r .AuthenticationResult.IdToken)
idtoken=$(aws cognito-idp admin-initiate-auth \
--user-pool-id ap-northeast-1_xxxxxxxxx \
--client-id 11111111111111111111111111 \
--auth-flow ADMIN_NO_SRP_AUTH \
--auth-parameters USERNAME=user02,PASSWORD='password' | jq -r .AuthenticationResult.IdToken)
echo $idtoken
identityid=$(aws cognito-identity get-id \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222 \
--logins "cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxxxxxxx=${idtoken}" | jq -r .IdentityId)
echo $identityid
output=$(aws cognito-identity get-credentials-for-identity \
--identity-id ${identityid} \
--logins "cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxxxxxxx=${idtoken}")
echo $output
accesskeyid=$(echo ${output} | jq .Credentials.AccessKeyId)
secretkey=$(echo ${output} | jq .Credentials.SecretKey)
sessiontoken=$(echo ${output} | jq .Credentials.SessionToken)
echo "export AWS_ACCESS_KEY_ID=$accesskeyid"
echo "export AWS_SECRET_ACCESS_KEY=$secretkey"
echo "export AWS_SESSION_TOKEN=$sessiontoken"
-- 9. 動作確認
別端末で環境変数を設定
下記確認
user01のトークンの場合、EC2インスタンスは作成できるが、S3バケットは作成できないこと
user02のトークンの場合、EC2インスタンスは作成できないが、S3バケットは作成できること
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--key-name key1 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=instance01}]' \
--instance-market-options '{"MarketType": "spot","SpotOptions": {"SpotInstanceType": "one-time"}}'
aws ec2 terminate-instances --instance-ids i-33333333333333333
aws s3 mb s3://bucket123
aws s3 rb s3://bucket123 --force
-- 10. IDプールで作成されたID確認
aws cognito-identity list-identities \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222 \
--max-results 10
-- 11. クリーンアップ
-- IDプールの削除
aws cognito-identity list-identity-pools \
--max-results 10
aws cognito-identity describe-identity-pool \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222
aws cognito-identity delete-identity-pool \
--identity-pool-id ap-northeast-1:22222222-2222-2222-2222-222222222222
-- ロールの削除
aws iam list-roles | grep role01
aws iam list-roles | grep role02
aws iam list-roles | grep role03
aws iam list-roles | grep role04
aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::999999999999:policy/policy01
aws iam detach-role-policy \
--role-name role02 \
--policy-arn arn:aws:iam::999999999999:policy/policy02
aws iam detach-role-policy \
--role-name role03 \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
aws iam detach-role-policy \
--role-name role04 \
--policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
aws iam delete-role --role-name role01
aws iam delete-role --role-name role02
aws iam delete-role --role-name role03
aws iam delete-role --role-name role04
-- ポリシーの削除
aws iam list-policies | grep policy01
aws iam list-policies | grep policy02
aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01
aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy02
-- ユーザプールの削除
aws cognito-idp list-user-pools \
--max-results 10
aws cognito-idp describe-user-pool \
--user-pool-id ap-northeast-1_xxxxxxxxx
aws cognito-idp delete-user-pool \
--user-pool-id ap-northeast-1_xxxxxxxxx