[英]Allow access to custom prefix on S3 with Cognito
I need to allow users to access files on S3 with a specific prefix -- ie username1 -- that I can't change, so I can't just use the ${cognito-identity.amazonaws.com:sub}
as the prefix.我需要允许用户使用我无法更改的特定前缀(即 username1)访问 S3 上的文件,因此我不能仅使用${cognito-identity.amazonaws.com:sub}
作为前缀. My S3 bucket is already populated with content under specific prefixes - so a user logs into my app, and is then allowed to access one of those specific prefixes我的 S3 存储桶已经填充了特定前缀下的内容 - 因此用户登录我的应用程序,然后被允许访问这些特定前缀之一
Currently set up on AWS to allows users to authenticate in a Cognito role using Firebase and developer authenticated identities.目前在 AWS 上设置为允许用户使用 Firebase 和开发人员身份验证以 Cognito 角色进行身份验证。 Each user account (email/password) has an associated S3 prefix that they must be able to access.每个用户帐户(电子邮件/密码)都有一个关联的 S3 前缀,他们必须能够访问该前缀。 Some users will share this prefix (two users accessing S3-bucket/username1 for example).一些用户将共享此前缀(例如,两个用户访问 S3-bucket/username1)。 A user should not be able to list or access any other prefix except their associated prefix.用户不应能够列出或访问除其关联前缀之外的任何其他前缀。
I'm not quite sure what the best way to go about accomplishing this -- just with Cognito roles or using a database and lambda function + api endpoint, bucket/user policies or ACLs.我不太确定实现这一目标的最佳方法是什么——仅使用 Cognito 角色或使用数据库和 lambda 函数 + api 端点、存储桶/用户策略或 ACL。 Is there a simple way that I'm missing?有没有我缺少的简单方法?
Pretty new to AWS, any help will be greatly appreciated! AWS 的新手,任何帮助将不胜感激!
tl;dr: How to only allow a user to access files on S3 with a specific prefix, that is NOT the ${cognito-identity.amazonaws.com:sub}
variable? tl; dr:如何只允许用户访问 S3 上具有特定前缀的文件,这不是${cognito-identity.amazonaws.com:sub}
变量?
As mentioned in comments, Amazon Cognito does not directly support your use case today.如评论中所述,Amazon Cognito 目前不直接支持您的用例。 You can implement something like the following to achieve your goals:您可以实施类似以下内容来实现您的目标:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.