stackoom
  简体   繁体   中英

Cognito / S3 User Specific Policies

 原文  2014-09-05 05:35:03       android/ amazon-web-services/ amazon-s3/ amazon-cognito

Question

I am using the AWS SDK for Android alongside Cognito to authenticate users (via Login With Amazon) to my AWS resources. What I am attempting to do is to setup an S3 bucket like so: 

./my-bucket
  ├── first_user@email.com
  └── second_user@email.com

So, the my-bucket bucket will have folders based on the user's e-mail address.

My first stab to setup the policy was as such: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::my-bucket"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket/${www.amazon.com:user_id}",
        "arn:aws:s3:::my-bucket/${www.amazon.com:user_id}/*"
      ]
    }
  ]
}

As a test, I am trying to download a folder for a user like so: 

final Map logins = new HashMap();
logins.put("www.amazon.com", token);
credentialsProvider.withLogins(logins);

final TransferManager transferManager = new TransferManager(credentialsProvider);
MultipleFileDownload download = transferManager.downloadDirectory("my-bucket", "first_user@email.com", new File("/sdcard/Download"));

However, when I run this I get a "Forbidden" exception. If I modify the policy to explicitly reference first_user@email.com rather than ${www.amazon.com:user_id} it works fine.

Question

  1. Is this even possible to be able to use the LWA user's e-mail address to configure it like this?
  2. Is there a way to log actually what parameters are happening when I make a request?

I've seen references like this but I'm not sure which ones actually apply. It would be fantastic if I were somehow able to see what values are coming across when I make a request.

Thanks in advance.

1 answers

solution1
 2 ACCPTED  2014-09-05 18:07:15

In answer to your questions:

  1. No it is not possible to do this with Cognito or web identity federation with just Login with Amazon. The identifiers returned in this flow are pseudo-anonymous. Cognito IDs will be of the form us-east-1:abcd-123456-xxxxx-xxxxx-xxxx . If you use Login with Amazon directly, the IDs would be of the form amzn-1234567890 .
  2. The IDs vended from Cognito are available on the credentials provider by simply calling the getIdentityId method. If you are using the raw web identity federation flow, the AssumeRoleWithWebIdentityResult class contains the values for the provider, application/audience and user id.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Cognito and S3 Android: user login Amazon cognito and transfer data to and from Amazon S3 How to manage User authorization to upload images to S3 using AWS Amplify and Cognito? AWS Cognito permissions to access S3 on Android Can't upload s3 bucket from android using cognito Designing a sign up form that has to imitate Facebook's policies toward the user's first and last name Check if user is authenticated with Cognito Uploading a file with Amazon S3 with a specific folder structure Camera.Parameters device specific crash (Samsung S3 Mini) Simple user registration with Amazon Cognito
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM