TOP ▲
itcore TOP
> TIPS
> aws_cognito_getid.php
タグ:aws cognito getopenidtokenfordeveloperidentity php sdk AWS cognito getOpenIdTokenForDeveloperIdentity PHP SDK CLI | itcore 2021年
IDプールの作成
Amazon Cognito
https://ap-northeast-1.console.aws.amazon.com/cognito/home?region=ap-northeast-1#
IDプールの管理>新しいIDプールの作成
ID プール名 id_pool_01
認証プロバイダー>カスタム
開発者プロバイダーの名前 login.app001
プールの作成
許可
権限付与
IAM ダッシュボード
https://console.aws.amazon.com/iam/home?region=ap-northeast-1#/home
ユーザーapi_admin
プログラムによるアクセス
アクセス権限の追加>既存のポリシーを直接アタッチ
ポリシーのフィルタ cognito
AmazonCognitoDeveloperAuthenticatedIdentities を選択>確認>追加
CLI pool id の確認
aws cognito-identity list-identity-pools --max-results 10
{
"IdentityPools": [
{
"IdentityPoolId": "ap-northeast-1:9fa88c1e-xxx-xxx-xxx-xxx",
"IdentityPoolName": "id_pool_01"
}
]
}
PHP コード
vi cognito.php
<?php
use Aws\CognitoIdentity\CognitoIdentityClient;
use Aws\Sts\StsClient;
require '../vendor/autoload.php';
$aws_region = 'ap-northeast-1';
$aws_key = 'AKI***';
$aws_secret = 'LRd***';
$identity_pool_id = 'ap-northeast-1:9fa88c1e-xxx-xxx-xxx-xxx';
$developer_provider_name = "login.app001";
$developer_user_identifier = "1";
$client = CognitoIdentityClient::factory([
'region' => $aws_region,
'version' => '2014-06-30',
"credentials" => [
'key' => $aws_key,
'secret' => $aws_secret,
],
]);
$identity = $client->getOpenIdTokenForDeveloperIdentity([
'IdentityPoolId' => $identity_pool_id,
'Logins' => [$developer_provider_name => $developer_user_identifier],
]);
$id = $identity->get('IdentityId');
$token = $identity->get('Token');
$a1 = [];
$a1["IdentityId"] = $IdentityId;
$a1["token"] = $token;
header("Access-Control-Allow-Origin: *");
echo json_encode($a1);
?>
実行
https://xxx.xxx.jp/sdk_php/cognito.php
{"IdentityId":"ap-northeast-1:7e677406-xxx-xxx-xxx-xxx","token":"xxx"}
CLIによるcognito認証情報の取得
aws cognito-identity get-credentials-for-identity --identity-id ap-northeast-1:7e677406-xxx-xxx-xxx-xxx --logins '{""cognito-identity.amazonaws.com"":""eyJ***""}'
■戻り値
{
""IdentityId"": ""ap-northeast-1:7e677406-xxx-xxx-xxx-xxx"",
""Credentials"": {
""AccessKeyId"": ""ASI***"",
""SecretKey"": ""tnd***"",
""SessionToken"": ""IQo***"",
""Expiration"": ""2021-04-09T11:24:37+09:00""
}
}"
JavaScriptによるcognito認証情報の取得とS3アクセス
<script src="https://code.jquery.com/jquery-3.2.1.js" integrity="sha256-DZAnKJ/6XZ9si04Hgrsxu/8s717jcIzLy3oi35EouyE=" crossorigin="anonymous"></script>
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.886.0.min.js"></script>
<script>
$(function() {
var IdentityId = "";
var token = "";
//---------------------------------------------
// GetOpenIdTokenForDeveloperIdentity 取得
//---------------------------------------------
$.ajaxSetup({ async: false }); // 同期通信
$.getJSON('https://xxx/cognito.php', function(data) {
IdentityId = data["IdentityId"];
token = data["token"];
});
console.log("debug27 OK id=" + IdentityId);
//console.log("debug28 OK token=" + token);
//---------------------------------------------
// cognito Credentials 取得
//---------------------------------------------
AWS.config.region = 'ap-northeast-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: "ap-northeast-1:9fa88c1e-xxx-xxx-xxx-xxx",
IdentityId: IdentityId,
Logins: {
'cognito-identity.amazonaws.com': token,
}
});
//---------------------------------------------
// S3 アクセス
//---------------------------------------------
var s3 = new AWS.S3({
apiVersion: "2006-03-01",
region: 'ap-northeast-1',
params: { Bucket: "xxx" }
});
console.log("debug72 OK s3=", s3);
s3.listObjects({}, function(err, data) {
if (err) {
console.log("ERROR76 err=", err);
return
} else {
console.log("debug78 OK data=", data);
}
});
});
</script>
権限設定
IAM ダッシュボード
https://console.aws.amazon.com/iam/home?region=ap-northeast-1#/home
ロール>Cognito_id_pool_01Auth_Role
AmazonS3FullAccess をアタッチ