2

我正在尝试通过 Aws ALB + Cognito 对 Lambda 进行身份验证。当我启动 DNS 服务器时,它会将我重定向到登录页面,我可以注册并验证用户。另外,我可以看到用户添加到用户池中的用户。登录后,它给出 500 Internal Server Error。转发到函数的默认操作正在后台执行,我可以在日志中看到。

不知道为什么在验证用户身份后它没有重定向/执行 lambda。您能否提供一些见解,我在此设置中会缺少什么。

我已经在 terraform 中设置了 Lambda、ALB 和 Cognito。

resource "aws_cognito_user_pool" "pool" {
  name                       = "alb-test-userpool"
  alias_attributes = ["email", "preferred_username"]
  verification_message_template {
  default_email_option = "CONFIRM_WITH_CODE"
  }
  email_verification_subject = "Device Verification Code"
  email_verification_message = "Please use the following code {####}"
  sms_verification_message   = "{####} Baz"
  auto_verified_attributes   = ["email"]

  password_policy {
      minimum_length    = 8
      require_lowercase = false
      require_numbers   = false
      require_symbols   = false
      require_uppercase = false
    }
  tags {
    "Name"   = "alb pool"
    }
 schema {
  name                = "email"
  attribute_data_type = "String"
  mutable             = false
  required            = true
}
}

resource "aws_cognito_user_pool_client" "client" {
  name = "alb-test-user-client"
  user_pool_id = "${aws_cognito_user_pool.pool.id}"
  generate_secret = true
  allowed_oauth_flows_user_pool_client = true
  supported_identity_providers = ["COGNITO"]
  callback_urls = ["https://internal-****-****.us-west-2.elb.amazonaws.com/oauth2/idpresponse"]
  allowed_oauth_flows  = ["code"]
  allowed_oauth_scopes = ["openid"]
  explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"]
  allowed_oauth_flows_user_pool_client = true
}

resource "aws_cognito_user_pool_domain" "pool_domain" {
  domain          = "${var.domain}"
  user_pool_id    = "${aws_cognito_user_pool.pool.id}"
}
4

1 回答 1

4

负载均衡器无法与 IdP 令牌端点或 IdP 用户信息端点通信。验证您的负载均衡器的安全组和您的 VPC 的网络 ACL 是否允许对这些终端节点进行出站访问。验证您的 VPC 是否可以访问 Internet。如果您有面向内部的负载均衡器,请使用 NAT 网关启用 Internet 访问。

AWS 文档大约 500 个问题

于 2019-05-26T19:47:08.977 回答