Rust AWS身份认证库aws-sdk-cognitoidentity的使用:实现安全用户身份管理与AWS服务集成

根据要求,我将直接输出内容中提供的示例,然后给出一个完整的示例代码。

以下是内容中提供的示例代码:

use aws_sdk_cognitoidentity::{Client, Error};
use aws_sdk_cognitoidentity::model::{IdentityPool, Credentials};

#[tokio::main]
async fn main() -> Result<(), Error> {
    // 加载配置
    let config = aws_config::load_from_env().await;
    
    // 创建客户端
    let client = Client::new(&config);

    // 创建身份池
    let pool_name = "my-identity-pool";
    let create_pool_output = client
        .create_identity_pool()
        .identity_pool_name(pool_name)
        .allow_unauthenticated_identities(true)
        .send()
        .await?;

    println!("Created identity pool: {:?}", create_pool_output.identity_pool_id());

    // 获取ID
    let identity_id = create_pool_output.identity_pool_id().unwrap();

    // 获取凭证
    let credentials_output = client
        .get_credentials_for_identity()
        .identity_id(identity_id.to_string())
        .send()
        .await?;

    if let Some(creds) = credentials_output.credentials() {
        println!("Access Key: {}", creds.access_key_id().unwrap());
        println!("Secret Key: {}", creds.secret_key().unwrap());
        println!("Session Token: {}", creds.session_token().unwrap());
        println!("Expiration: {:?}", creds.expiration());
    }

    Ok(())
}

现在,我将提供一个更完整的示例,展示如何集成第三方登录提供商和设置IAM角色:

use aws_sdk_cognitoidentity::{Client, Error};
use aws_sdk_cognitoidentity::model::{IdentityPool, Credentials, RoleMapping, RulesConfigurationType, MappingRule};

#[tokio::main]
async fn main() -> Result<(), Error> {
    // 加载AWS配置
    let config = aws_config::load_from_env().await;
    
    // 创建Cognito Identity客户端
    let client = Client::new(&config);

    // 1. 创建身份池并配置Google登录提供商
    let pool_name = "enhanced-identity-pool";
    let google_client_id = "your-google-client-id"; // 替换为实际的Google客户端ID
    
    let create_pool_output = client
        .create_identity_pool()
        .identity_pool_name(pool_name)
        .allow_unauthenticated_identities(false) // 禁用未认证访问
        .supported_login_providers("accounts.google.com".to_string(), google_client_id.to_string())
        .send()
        .await?;

    println!("创建的身份池ID: {:?}", create_pool_output.identity_pool_id());

    // 2. 设置IAM角色映射
    let identity_id = create_pool_output.identity_pool_id().unwrap();
    let authenticated_role_arn = "arn:aws:iam::123456789012:role/Cognito_Authenticated_Role"; // 替换为实际的角色ARN
    
    let role_mapping = RoleMapping::builder()
        .type_("Rules")
        .rules_configuration(
            RulesConfigurationType::builder()
                .rules(
                    MappingRule::builder()
                        .claim("iss")
                        .match_type("Equals")
                        .value("accounts.google.com")
                        .role_arn(authenticated_role_arn)
                        .build()
                )
                .build()
        )
        .build();

    client
        .set_identity_pool_roles()
        .identity_pool_id(identity_id.to_string())
        .roles("authenticated".to_string(), authenticated_role_arn.to_string())
        .role_mappings("accounts.google.com".to_string(), role_mapping)
        .send()
        .await?;

    println!("成功设置身份池角色映射");

    // 3. 获取Google登录后的凭证
    let google_token = "google-id-token"; // 替换为实际的Google ID令牌
    
    let credentials_output = client
        .get_credentials_for_identity()
        .identity_id(identity_id.to_string())
        .logins("accounts.google.com".to_string(), google_token.to_string())
        .send()
        .await?;

    if let Some(creds) = credentials_output.credentials() {
        println!("获取到的凭证:");
        println!("Access Key: {}", creds.access_key_id().unwrap());
        println!("Secret Key: {}", creds.secret_key().unwrap());
        println!("Session Token: {}", creds.session_token().unwrap());
        println!("过期时间: {:?}", creds.expiration());
    }

    Ok(())
}

代码说明:

  1. 这个完整示例展示了:

    • 创建身份池并配置Google登录提供商
    • 设置IAM角色映射,为认证用户分配特定角色
    • 使用Google登录令牌获取临时AWS凭证
  2. 主要功能点:

    • 通过supported_login_providers添加Google登录支持
    • 使用set_identity_pool_roles配置IAM角色映射
    • 通过get_credentials_for_identity获取认证后的凭证
  3. 使用前需要:

    • 替换示例中的Google客户端ID和角色ARN
    • 确保已正确配置AWS凭证
    • 在Google开发者控制台设置OAuth客户端

注意事项:

  • 实际使用时需要替换示例中的占位值为真实值
  • 确保IAM角色具有适当的权限
  • 生产环境应考虑错误处理和令牌刷新机制

1 回复

Rust AWS身份认证库aws-sdk-cognitoidentity的使用:实现安全用户身份管理与AWS服务集成

概述

aws-sdk-cognitoidentity是AWS官方提供的Rust SDK中的Cognito身份认证服务库,用于实现安全的用户身份管理并与AWS服务集成。Cognito Identity提供了用户身份池功能,允许开发者创建唯一身份并授权用户访问AWS资源。

主要功能

  1. 创建和管理身份池
  2. 获取临时AWS凭证
  3. 实现联合身份认证
  4. 与社交登录提供商集成
  5. 管理身份池角色

使用方法

添加依赖

首先在Cargo.toml中添加依赖:

[dependencies]
aws-config = "0.55"
aws-sdk-cognitoidentity = "0.28"
tokio = { version = "1", features = ["full"] }

基本使用示例

1. 初始化客户端

use aws_sdk_cognitoidentity::{Client, Error};

async fn create_client() -> Result<Client, Error> {
    let config = aws_config::load_from_env().await;
    let client = Client::new(&config);
    Ok(client)
}

2. 创建身份池

use aws_sdk_cognitoidentity::model::IdentityPool;

async fn create_identity_pool(client: &Client, pool_name: &str) -> Result<String, Error> {
    let response = client
        .create_identity_pool()
        .identity_pool_name(pool_name)
        .allow_unauthenticated_identities(true)
        .send()
        .await?;

    Ok(response.identity_pool_id().unwrap().to_string())
}

3. 获取身份ID

async fn get_id(client: &Client, pool_id: &str, provider_name: &str, token: &str) -> Result<String, Error> {
    let response = client
        .get_id()
        .identity_pool_id(pool_id)
        .logins(provider_name, token)
        .send()
        .await?;

    Ok(response.identity_id().unwrap().to_string())
}

4. 获取临时凭证

use aws_sdk_cognitoidentity::model::Credentials;

async fn get_credentials(
    client: &Client,
    identity_id: &str,
    provider_name: &str,
    token: &str,
) -> Result<Credentials, Error> {
    let response = client
        .get_credentials_for_identity()
        .identity_id(identity_id)
        .logins(provider_name, token)
        .send
        .await?;

    Ok(response.credentials().unwrap().clone())
}

完整示例

以下是一个完整的示例,展示如何创建身份池并获取临时凭证:

use aws_sdk_cognitoidentity::{Client, Error};
use aws_sdk_cognitoidentity::model::IdentityPool;

#[tokio::main]
async fn main() -> Result<(), Error> {
    // 初始化客户端
    let config = aws_config::load_from_env().await;
    let client = Client::new(&config);

    // 创建身份池
    let pool_name = "MyRustIdentityPool";
    let pool_id = create_identity_pool(&client, pool_name).await?;
    println!("Created identity pool with ID: {}", pool_id);

    // 模拟社交登录提供商的token
    let provider_name = "graph.facebook.com";
    let token = "sample-facebook-token";

    // 获取身份ID
    let identity_id = get_id(&client, &pool_id, provider_name, token).await?;
    println!("Got identity ID: {}", identity_id);

    // 获取临时凭证
    let credentials = get_credentials(&client, &identity_id, provider_name, token).await?;
    println!("Temporary credentials:");
    println!("Access Key ID: {}", credentials.access_key_id().unwrap());
    println!("Secret Key: {}", credentials.secret_key().unwrap());
    println!("Session Token: {}", credentials.session_token().unwrap());
    println!("Expiration: {}", credentials.expiration().unwrap());

    Ok(())
}

async fn create_identity_pool(client: &Client, pool_name: &str) -> Result<String, Error> {
    let response = client
        .create_identity_pool()
        .identity_pool_name(pool_name)
        .allow_unauthenticated_identities(true)
        .send()
        .await?;

    Ok(response.identity_pool_id().unwrap().to_string())
}

async fn get_id(client: &Client, pool_id: &str, provider_name: &str, token: &str) -> Result<String, Error> {
    let response = client
        .get_id()
        .identity_pool_id(pool_id)
        .logins(provider_name, token)
        .send()
        .await?;

    Ok(response.identity_id().unwrap().to_string())
}

async fn get_credentials(
    client: &Client,
    identity_id: &str,
    provider_name: &str,
    token: &str,
) -> Result<aws_sdk_cognitoidentity::model::Credentials, Error> {
    let response = client
        .get_credentials_for_identity()
        .identity_id(identity_id)
        .logins(provider_name, token)
        .send()
        .await?;

    Ok(response.credentials().unwrap().clone())
}

最佳实践

  1. 安全存储凭证:临时凭证应该安全存储并定期刷新
  2. 最小权限原则:为身份池角色分配最小必要权限
  3. 错误处理:妥善处理各种认证失败的情况
  4. 日志记录:记录认证过程中的重要事件
  5. 使用HTTPS:确保所有通信都通过HTTPS进行

常见问题

  1. 权限不足:确保IAM角色有正确的权限策略
  2. Token过期:实现Token刷新逻辑
  3. 区域设置:确保客户端配置了正确的AWS区域
  4. 身份池未启用:检查身份池是否已正确配置并启用

通过aws-sdk-cognitoidentity库,Rust开发者可以轻松实现安全的用户身份管理,并与AWS服务无缝集成。

回到顶部