I am using the AWS SDK for Android alongside Cognito to authenticate users (via Login With Amazon) to my AWS resources. What I am attempting to do is to setup an S3 bucket like so:
./my-bucket
├── first_user@email.com
└── second_user@email.com
So, the my-bucket
bucket will have folders based on the user's e-mail address.
My first stab to setup the policy was as such:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-bucket"]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/${www.amazon.com:user_id}",
"arn:aws:s3:::my-bucket/${www.amazon.com:user_id}/*"
]
}
]
}
As a test, I am trying to download a folder for a user like so:
final Map logins = new HashMap();
logins.put("www.amazon.com", token);
credentialsProvider.withLogins(logins);
final TransferManager transferManager = new TransferManager(credentialsProvider);
MultipleFileDownload download = transferManager.downloadDirectory("my-bucket", "first_user@email.com", new File("/sdcard/Download"));
However, when I run this I get a "Forbidden" exception. If I modify the policy to explicitly reference first_user@email.com
rather than ${www.amazon.com:user_id}
it works fine.
I've seen references like this but I'm not sure which ones actually apply. It would be fantastic if I were somehow able to see what values are coming across when I make a request.
Thanks in advance.
In answer to your questions:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.