允许用户池中的 Cognito 用户访问 S3 存储桶的存储桶策略
[英]Bucket policy to allow Cognito user in User Pool access to S3 bucket
问题描述
I am trying to add a bucket policy to my bucket because my bucket is in a root aws account, and I want to restricts other users, roles, etc. under the root account from accessing my bucket except for a specific Cognito user in my User Pool.
我正在尝试向我的存储桶添加存储桶策略,因为我的存储桶位于 root aws 帐户中,并且我想限制 root 帐户下的其他用户、角色等访问我的存储桶,但我的用户中的特定 Cognito 用户除外游泳池。
I do not want to also use an identity pool -- I would just like to refer to the Cognito user as the principal in my bucket policy.我不想也使用身份池——我只想将 Cognito 用户称为我的存储桶策略中的主体。 Is there any way to do this without using an identity pool?有没有办法在不使用身份池的情况下做到这一点? I can't find any example policies that do this.我找不到任何执行此操作的示例策略。
1 个解决方案
解决方案1
0 2020-12-18 13:51:32
You can set the Principle of your bucket policy as the auth role of your Cognito user.您可以将存储桶策略的原则设置为 Cognito 用户的身份验证角色。 In my case, the Principle looks like就我而言,原则看起来像
"Principal": {
"AWS": "arn:aws:iam::123456789000:role/NAME_OF_MY-authRole"
},
Then, you can further control the access by changing the Resource.然后,您可以通过更改资源来进一步控制访问。 Here is the example from AWS docs .这是来自AWS docs的示例。
"arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.