I'm using cognito identity pools to give users permission to read an S3 bucket. The idea is that each user has a "folder" (prefix) that they can read and they shouldn't be able to read anyone elses folder.
The way I have this plumbed up is:
Now, the s3 bucket has policy and the role also has policy (which is below). The problem is only the s3 policy is being evaluated.
The role is called "S3Stuff"
Role permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket>",
"Condition": {
"StringLike": {
"s3:prefix": "${cognito-identity.amazonaws.com:sub}/*"
}
}
}
]
}
Role trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:<GUID>"
},
"StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::720911909616:role/S3Stuff"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket>"
}
]
}
With the above S3 configuration, when I log into cognito as a user, I can list the entire contents of the bucket. When I add a condition to the s3 bucket policy (like below) it works correctly (ie I can list the part of the bucket I should be able to and can't access what I couldn't be able to). Also before I put the s3 policy on it was denying me access.
Condition
"Condition": {
"StringLike": {
"s3:prefix": "${cognito-identity.amazonaws.com:sub}/*"
}
}
To be clear I know I can just throw everything into the s3 policy but I want to know what's going on and why.
Why is the policy in the role being bypassed
This picture is key. I got it from "Deep Dive with Security: AWS Identity and Access Management" on the AWS Learning thing.
I was mislead into thinking that the policy that applies to a request is the "least-privilege union" of all the policies. This is very close to being right but it is untrue .
If you have a resource based policy that approves an action the role policies will only have an effect if there is an explicit deny.
Concerning the part where I said that before I put the S3 policy on I was being denied access, It's probably because of the cognito aud. I was using the wrong aud for a while (the cognito aud being refereed to comes from cognito-identity pools not cognito user pools just in case anyone was curious) and eventually figured it out and used the right one. I must have started testing s3 policy before changing the aud to the right thing.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.