How to add & use array values in claims of Cognito's IdToken in AWS IAM policies?

0

Hello, I have a use-case where I need to add custom attributes to AWS Cognito user-pool with array values, e.g.: {"floors": ["1","3", "7"]}.

Then, I want to define a policy that allow access to a resource only if the PrincipalTag ("floors") has an element value ("3") that match the resource tag ("floor"="3").

Can this be implemented via AWS IAM Policy? How?

Thank you.

yossico
demandé il y a 2 ans474 vues
1 réponse
0

Cognito only supports string attributes, but you can mimic a multi-value attribute with your own delimiter between and around the values. Take this example using : to separate your floors values:

{"floors": ":1:3:7:"}

Then your aws:PrincipalTag/tag-key check can use StringLike in a Condition with leading *: and trailing :* wildcards to match the floor. This assumes your floor values don't contain : and they aren't user-defined input that would allow someone to inject their own : character.

"Condition": {
  "StringLike": { "aws:PrincipalTag/floor": "*:3:*" }
},
profile pictureAWS
répondu il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions