I have hundreds of S3 buckets and dozens of users in Cognito User Pool. I want to be able to select which user can access which S3 bucket, for example:
user_a
can access bucket_1
, bucket_2
, bucket_3
user_b
can access bucket_2
user_c
can access bucket_1
, bucket_4
and so on.
I would love to be able to do it without creating a dedicated API creating a dynamic policies. I thought about utilising Cognito Identity Pools and Attribute-based access control.
There is a cool example where an user gets an attribute "department": "legal"
and is then assigned a role that is allowed to query only the buckets with -legal
suffix, thanks to ${aws:PrincipalTag/department}
magic.
If my users were to access only one bucket, that would be a solution. However, in my case a user could get assigned to dozens or hundreds of buckets (think "multiple departments" in the example from AWS docs).
I thought of using multiple custom attributes on each user:
bucket_1: true
bucket_2: false
bucket_3: false
- ..and so on
and creating a policy that allows you to access given bucket_n
if and only if you have an attribute bucket_n: true
.
This would work if I had at most 50 buckets (the hard limit of Custom Attributes in Cognito).
In my case, this value is slightly higher (a couple hundreds). I can have users having access to 200+ buckets as well as ones being allowed to only one bucket.
Is there any way to achieve my goal with Cognito Identity Pools and IAM Policies?