Hi,
I am trying to implement ABAC for accessing S3 objects. I would like to conditionally provision permission based on Cognito user attributes. The challange I am facing is that user can be in none, one or more groups. If a user is in a certain group, he should be able to access the S3 objects that belong to that group.
Basically, what I would like to achieve is that all the groups that the user is member of are mapped to one tag - Is it possible to map more than one value to one tag?
I found this document: Docs
You cannot specify multiple values in a single tag, but you can create a custom multivalue structure in the single value. For example, assume that the user Zhang works on the engineering team and the QA team. If you attach the team = Engineering tag and then attach the team = QA tag, you change the value of the tag from Engineering to QA. Instead, you can include multiple values in a single tag with a custom separator. In this example, you could attach the team = Engineering:QA tag to Zhang.
But I am not sure how to implement this with IAM policies and tags.
Example:
I have 2 objects.
Object A - tag: Group A
Object B - tag: Group B
User 1 - principal tag membership: Group A. (I know how to implement this)
User 2 - principal tag membership: ["Group A", "Group B"] (not sure how to implement this)
I have also found this tutorial: Tutorial.
What if one user would be a member of both "qas" and "eng" access-teams?
Thanks,
David