Allow access to custom prefix on S3 with Cognito

Question

I need to allow users to access files on S3 with a specific prefix -- ie username1 -- that I can't change, so I can't just use the ${cognito-identity.amazonaws.com:sub} as the prefix. My S3 bucket is already populated with content under specific prefixes - so a user logs into my app, and is then allowed to access one of those specific prefixes

Currently set up on AWS to allows users to authenticate in a Cognito role using Firebase and developer authenticated identities. Each user account (email/password) has an associated S3 prefix that they must be able to access. Some users will share this prefix (two users accessing S3-bucket/username1 for example). A user should not be able to list or access any other prefix except their associated prefix.

I'm not quite sure what the best way to go about accomplishing this -- just with Cognito roles or using a database and lambda function + api endpoint, bucket/user policies or ACLs. Is there a simple way that I'm missing?

Pretty new to AWS, any help will be greatly appreciated!

tl;dr: How to only allow a user to access files on S3 with a specific prefix, that is NOT the ${cognito-identity.amazonaws.com:sub} variable?

Answer 1

As mentioned in comments, Amazon Cognito does not directly support your use case today. You can implement something like the following to achieve your goals:

1. Use Cognito to authenticate your users as normal. The Cognito identities would have permissions to invoke an API Gateway endpoint.
2. Your API (running in a Lambda) uses the Cognito identity id (provided in the context) to lookup the mapping of Cognito identity to your custom S3 prefix.
3. Your API uses STS to generate temporary credentials to access that prefix, returning them to the client.
4. The client uses those credentials to make a request directly to S3.