- Más nuevo
- Más votos
- Más comentarios
What you're trying to do actually uses an Amazon Cognito identity pool, not a user pool. Therefore, there's no need to migrate any users to a Cognito user pool for this scenario as you're able to use an identity pool on it's own.
An identity pool allows you to get temporary AWS credentials and does not manage the underlying identities of your users. Look into the README for the utility example for steps on setting up the Cognito identity pool (e.g. steps 1 & 2).
However, and most importantly, this sample you're looking into uses an "unauthenticated" role from the identity pool. And this has the AmazonS3FullAccess
policy attached to this unauthenticated role. I would highly, highly recommend to instead using an authenticated role with IAM policies that follow a more restrictive and least privileged access model, based on your use case and requirements. You have an ability to federate from your existing identity provider that your Android app uses to the Cognito identity pool. This way you can securely allow only authenticated users access to the S3 bucket and you can enforce more fine-grained permissions. For example, you could use an attribute-based access control (ABAC) or a role-based access control (RBAC) model to determine permissions.
Here's some additional links to help out (in addition to the repo you referenced):
- Using identity pools
- Identity pools authentication flow
- Identity pools external identity providers
- If you're application happens to already be using Facebook, Google, Sign with Apple, Login with Amazon, or any OIDC or SAML identity provider, you could follow the guidance mentioned above.
- Developer-authenticated identities
- If you're using something custom for identity provider for your Android app, you could look into using the developer-authenticated identities
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años