- Le plus récent
- Le plus de votes
- La plupart des commentaires
Ok, I found a good working solution. IAM and Cognito still does not allow you to use custom JWT claims in IAM permissions. This only works for a small subset of claims that Cognito sets by default like the Cognito user sub:
${cognito-identity.amazonaws.com:sub}
The approach I took was to use S3 pre-signed URLs after verifying that the calling user is allowed access to the file in S3.
Basically, I was able to add a AppSync GraphQL query to my existing GraphQL API in my Amplify stack. This new GraphQL query is backed by a lambda function which verifies that the calling user belongs to the same business as the file being requested before generating and returning the S3 pre-signed URL.
Hope this can help someone else out. I think this would be a very common use-case in multi-tenant apps.
Contenus pertinents
- demandé il y a un an
- demandé il y a 6 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans