How do i pass the user credential to access s3 bucket once user is authenticated by cognito?
Question
I am using javascript sdk in node env and want to be able to assign a "key"/folder per user. I am able to authenticate and get a token with cognito. However with the following rules set I get a access denied. How do I actually pass the credentials on to access the users object?
Policy is as follows in IAM:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*" ], "Resource": [ "arn:aws:s3:::myBucket", "arn:aws:s3:::myBucket/*" ], "Condition": { "StringLike": { "s3:prefix": [ "${aws:username}/*" ] } } } ] }
1 answers
solution1
1 ACCPTED 2019-03-20 17:36:42
Your policy is wrong.
Here is how to fix it: Once you have cognito setup in AWS console, you will get two roles, auth cognito role and unauth. Go to the auth role in IAM and resource to look something like this...
"Resource": [ "arn:aws:s3:::mybucket/Users/${cognito-identity.amazonaws.com:sub}",]
The cognito identity: sub part is what ties the folder to the authenticated user.
Then in node, when you do put or get just use the same key but where this is -- ${cognito-identity.amazonaws.com:sub pass the identityID of the user. I am not sure how to get the identityID from AWS console, but you can definitely get it using the cli. Just check out the cognito api section to see how to get the identityID.
Hope that helps.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.