stackoom
  简体   繁体   中英

AWS S3: private access using id_token from Cognito like to the ApiGateway: is it possible?

 原文  2017-09-27 10:29:08       amazon-web-services/ amazon-s3/ amazon-cognito

Question

I successfully setup access to the Lambda using token_id from Cognito - client adds header Authorization: <token_id> and Api Gateway validate this token. I hope that I can setup similar access to the S3 from the client browser. For that I wrote policy for the S3 bucket (every user has its own directory for files): 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::buc/${cognito-identity.amazonaws.com:sub}/*"
        }
    ]
}

I tried this call:

curl -v --header 'Authorization: [id_token_from_cognito_after_signup]' https://s3.amazonaws.com/buc/<sub>/myfile.jpg

That return 400 Authorization header is invalid -- one and only one ' ' (space) required . On the web I found that this error can be unrelated to the spaces - because this request has the correct amount of spaces (I tried request without spaces too).

It is interesting that in the documentation about S3 is not mentioned Cognito.

I do not want to use js sdk on the client for speed and simplicity.

2 answers

solution1
 0 ACCPTED  2017-10-05 20:24:36

You were able to access your API using the cognito token because of the integration of cognito in API Gateway as it is fully described in aws blog

The Cognito user pools integration with API Gateway provides a new way to secure your API workloads

However, as of today, there's no such possibility for S3. You would need to compute the signature yourself as it was explained in the doc you reference. (various examples are referenced here )

solution2
 -1  2017-09-27 10:46:51

Have you tried this policy mentioned here 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::<BUCKET-NAME>"],
      "Condition": {"StringLike": {"s3:prefix": ["cognito/<APPLICATION-NAME>/"]}}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::<BUCKET-NAME>/cognito/<APPLICATION-NAME>/${cognito-identity.amazonaws.com:sub}",
        "arn:aws:s3:::<BUCKET-NAME>/cognito/<APPLICATION-NAME>/${cognito-identity.amazonaws.com:sub}/*"
      ]
    }
  ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Cognito get new id_token AWS cognito - Is it possible to get google access token and refresh using aws access token when sign in using google in from aws cognito Custom attribute not passed into ID_TOKEN created by AWS Cognito AWS: Using id token and access token generated by cognito in lambda functions How to get access to private s3 bucket using cognito swift:receive AWS id_token after sending facebook current token to AWS Cognito? Is it possible to access AWS Cognito API with access token? AWS Cognito - S3 Access using IAM role AWS -Is it possible to grant access permissions to an S3 object using my client's AWS Account Id AWS Cognito permissions to access S3 on Android
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM