[英]Bucket policy to allow Cognito user in User Pool access to S3 bucket
I am trying to add a bucket policy to my bucket because my bucket is in a root aws account, and I want to restricts other users, roles, etc. under the root account from accessing my bucket except for a specific Cognito user in my User Pool.我正在尝试向我的存储桶添加存储桶策略,因为我的存储桶位于 root aws 帐户中,并且我想限制 root 帐户下的其他用户、角色等访问我的存储桶,但我的用户中的特定 Cognito 用户除外游泳池。
I do not want to also use an identity pool -- I would just like to refer to the Cognito user as the principal in my bucket policy.我不想也使用身份池——我只想将 Cognito 用户称为我的存储桶策略中的主体。 Is there any way to do this without using an identity pool?有没有办法在不使用身份池的情况下做到这一点? I can't find any example policies that do this.我找不到任何执行此操作的示例策略。
You can set the Principle of your bucket policy as the auth role of your Cognito user.您可以将存储桶策略的原则设置为 Cognito 用户的身份验证角色。 In my case, the Principle looks like就我而言,原则看起来像
"Principal": {
"AWS": "arn:aws:iam::123456789000:role/NAME_OF_MY-authRole"
},
Then, you can further control the access by changing the Resource.然后,您可以通过更改资源来进一步控制访问。 Here is the example from AWS docs .这是来自AWS docs的示例。
"arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.