如何允许 Cognito 用户池用户删除 S3 中的对象？

Question

My mobile app uses AWS Amplify and i have a Cognito user pool and an S3 bucket in the project. Users are able to put objects into the bucket no problem, but they cant delete. What i want to do is for each logged in user to be able to delete an file in the bucket.

The path to the files is for example: my_bucket_name/protected/eu-west-2:de55c2rf-8f1e-836d-88f9-82da662aau6dt/videos/video1

To delete, i call this:

import { Storage } from 'aws-amplify'; 
import Amplify, { Auth } from 'aws-amplify';

. . .

delFromS3 = async () => {
      Storage.remove('protected/eu-west-2:de55c2rf-8f1e-836d-88f9-82da662aau6dt/videos/video1')  
         .then(result => console.log('Deleted Video from S3'))
         .catch(err => console.log('Deleting video from S3 error: ', err));
  }

So i either need a way to allow users in the cognito user pool to be authorised to delete an object. Or because i manually know the path to the file in each users sub-bucket (eg /protected/eu-west-2:de55c2rf-8f1e-836d-88f9-82da662aau6dt/videos/video1 ) just pass that in my delFromS3() function. I don't think this is a bucket policy issue.

OR if i need to use an Identity pool, how do I allow all the users in my existing user pool to work with the automatically generated Identity pool to enable them to delete in S3? At the moment users use Cognito to get into the user pool using Auth.signIn()

Answer 1

I'd call an API and in your Lambda check security / who it is and if they have access to remove file.. You may be able to check amplify user characteristics from policy, haven't tried..

But the extra api gives you another layer for security if desired in future