stackoom
  简体   繁体   中英

Allow Cognito user to Write to S3

 原文  2017-07-14 10:05:48       amazon-web-services/ amazon-s3/ boto3/ amazon-cognito

Question

I have an embedded device that requires the ability to write to S3. I want to avoid giving the embedded device an actual AWS IAMUser. I am looking at using Cognito to gain write access to S3.

I have a user pool with a group and one user (for now). The group has an attached policy which permits access to write to a certain S3 bucket. The pool is setup so that only admins can create new users. I have managed to authenticate the cognito user and have got access to refresh tokens and the idTokens. I am looking to use these tokens to write to my s3 bucket.

I am trying to follow trying to follow the documentation but am getting confused. I think i need a federated identity pool but i have no requirement for a public provider. I just want my cognito user group to write to s3.

Is there a simple solution to allow a cognito user to write to S3 without federated identities or if not do i require a back end to serve a token for a federated identity?

I have been using warrant https://github.com/capless/warrant to authenticate as so: 

from warrant.aws_srp import AWSSRP                                                                                                                                                                                                                                                    
import boto3                                                                                                                                                                                                                                                                          

client = boto3.client('cognito-idp')                                                                                                                                                                                                                                                  

aws = AWSSRP(username='<username>', password='<password>', pool_id='<pool>',                                                                                                                                                                                            
         client_id='<clientid>', client=client)                                                                                                                                                                                                              

tokens = aws.authenticate_user()

Any tips would be greatly appreciated!

1 answers

solution1
 3 ACCPTED  2017-07-14 16:32:54

You do need a federated identity pool. In the identity provider section you choose Cognito and enter your pool ID and pool client ID. Then, you need to provide the identity pool with authenticated and unauthenticated roles . You can use these roles to provide that S3 write access.

This is the default behavior for the identity provider setup. If you want the Role to come from the group that your user is in, you will need to set the Choose role from token option in the identity provider section under where you provided your pool and client id.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question aws s3 allow access to bucket prefix for cognito user How to allow Cognito user pool users to delete objects in S3? Allow an external user (through Cognito) to access a S3 bucket and console Allow access to custom prefix on S3 with Cognito Bucket policy to allow Cognito user in User Pool access to S3 bucket How do I only allow authenticated user (using cognito) access to their own S3 bucket/key specifically? Cognito / S3 User Specific Policies S3 Access for only Cognito Authenticated User AWS S3 bucket policy to allow access to Cognito users Read/Write to a Cognito Users S3 Bucket via Lambda
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM