AWS S3 Transfer Manager ${cognito-identity.amazonaws.com:sub} Policy Variable Access Denied
Problem solved. Turns out, ${cognito-identity.amazonaws.com:sub}
doesn't really refer to the sub
in the JWT token. It refers to IdentityID from the credentialsProvider:
(AWSServiceManager.default().defaultServiceConfiguration.credentialsProvider
as! AWSCognitoCredentialsProvider).getIdentityId()
.continue({task -> Any? in
print("Credentials ID is \(task.result!)")
return nil
})
I manually made a folder in my bucket with the name equal to task.result!
(which is in the format of us-east-1:XXXXXXXXXXXXXXXXXX
fyi), and it worked.
IAM Policy for S3 folder access based on Cognito ID
Unfortunately there is currently an issue with the roles generated via the Cognito console in combination with policy variables. Please update your roles' access policy to include the following to ensure policy variables are evaluated correctly:
"Version": "2012-10-17"
2014-09-16 Update: We have updated the Amazon Cognito console to correct this issue for new roles created via the Identity Pool creation wizard. Existing roles will still need to make the modification noted above.
Cognito / S3 User Specific Policies
In answer to your questions:
- No it is not possible to do this with Cognito or web identity federation with just Login with Amazon. The identifiers returned in this flow are pseudo-anonymous. Cognito IDs will be of the form us-east-1:abcd-123456-xxxxx-xxxxx-xxxx. If you use Login with Amazon directly, the IDs would be of the form amzn-1234567890.
- The IDs vended from Cognito are available on the credentials provider by simply calling the getIdentityId method. If you are using the raw web identity federation flow, the AssumeRoleWithWebIdentityResult class contains the values for the provider, application/audience and user id.
Securing bucket- and resource access in Amazon Web Services S3?
A Cognito Identity Pool is perfect for this scenario. For the authorized role, give it a policy that looks something like this:
{
"Sid": "Access User-Specific Folder",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/${cognito-identity.amazonaws.com:sub}/*"
}
This restricts a user to only objects in the folder that has the same name as their unique id in you Identity Pool. This method only uses one bucket.
Any time that you are thinking about programmatically making custom IAM roles for each user or a different bucket for each user, the answer is to use Cognito Identity.
Related Topics
Use of Undeclared Type 'Viewcontroller' When Unit Testing My Own Viewcontroller in Swift
Convert Opengl Shader to Metal (Swift) to Be Used in Cifilter
Swift 4 - Notification Center Addobserver Issue
Swift: Extract Float from Byte Data
Swift 3:Fatal Error: Double Value Cannot Be Converted to Int Because It Is Either Infinite or Nan
Nstextalignment.Justified for Uilabel Does Not Work
Swift 4 Timer Crashes with Nsexception
Convert Dictionary to Query String in Swift
Why Does an @Objc Enum Have a Different Description Than a Pure Swift Enum
Error Handling in Swift Does Not Involve Stack Unwinding. What Does It Mean
Binary Operator '===' Cannot Be Applied to Operands of Type 'Any' and 'Uibarbuttonitem!'
How to Convert Delegate to Observable Rxswift
Swift Error: Missing Argument Label 'Name:' in Call
Swift Difference Between Final Var and Non-Final Var | Final Let and Non-Final Let
Swiftui Onhover Doesn't Register Mouse Leaving the Element If Mouse Moves Too Fast
How to Determine If a Variable Passed in Is Reference Type or Value Type