Cognito Federated Identities and user specific policies

0

Hi there,

My goal is to have authenticate users using my web app, then to allow them restricted access to S3 and Rekognition. They should only be able to access their own S3 bucket, and only run IndexFaces and SearchFaces on a rekognition collection they belong to

Right now I use Cognitio Federated Identities. I create the user using CognitoIdentity.getOpenIdTokenForDeveloperIdentity. Then I use STS.assumeRoleWithWebIdentity to give the user access to a role that has the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::xxx/users/${cognito-identity.amazonaws.com:sub}",
                "arn:aws:s3:::xxx/users/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
}

This allows the user to only put and get objects that belong to their bucket, but noone elses.

However, I'm having a hard time figuring out how I can change this policy to also allow access to their own Rekognition Collection. Bearing in mind that sometimes more than one user belongs to the same rekognition collection.

Is there some way this can be done with cognito federated identities? Or do I need another approach?

Thanks for your time,
Josh

preguntada hace 5 años242 visualizaciones
1 Respuesta
0

Hey just putting this here in case someone else runs into this.

Turns out you can pass a 'session policy' to STS.assume_role_with_web_identity which you can configure however you like dynamically. This conveniently sidesteps AWS limits on IAM roles and policies.

respondido hace 5 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas