- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Ok, I found a good working solution. IAM and Cognito still does not allow you to use custom JWT claims in IAM permissions. This only works for a small subset of claims that Cognito sets by default like the Cognito user sub:
${cognito-identity.amazonaws.com:sub}
The approach I took was to use S3 pre-signed URLs after verifying that the calling user is allowed access to the file in S3.
Basically, I was able to add a AppSync GraphQL query to my existing GraphQL API in my Amplify stack. This new GraphQL query is backed by a lambda function which verifies that the calling user belongs to the same business as the file being requested before generating and returning the S3 pre-signed URL.
Hope this can help someone else out. I think this would be a very common use-case in multi-tenant apps.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren