Using a Cognito custom attribute as a principal tag in an IAM policy condition is not working
1
Here's the setup:
- User Pool custom attribute:
custom:journalSubscription - User Pool app client: has read/write permission for the custom attribute
- Example user: has custom attribute
custom:journalSubscriptionset totrue - Identity Pool ABAC custom mapping: "Attribute name" of
custom:journalSubscription---maps to---> "Tag key for principal" ofjournalSubscription - IAM policy: uses a condition for "StringEquals" where "aws:PrincipalTag/journalSubscription" must equal "true"
Problem: the SDK call fails with this error:
User: <<AUTH_ROLE>> is not authorized to perform: dynamodb:GetItem on resource: <<ARN_FOR_MY_DynamoDB_TABLE>> because no identity-based policy allows the dynamodb:GetItem action
Note: the SDK call works fine with an IAM policy that uses a condition for a non-custom attribute such as "aws:PrincipalTag/email". It's just that for custom attributes, the call fails.
How can I make this work?
Argomenti
Tag
Lingua
English
posta 2 anni fa1089 visualizzazioni
2 Risposte
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
2
In the app client settings, for the OpenID Connect scopes, add profile. This allows the app client to retrieve "profile" attributes which seems to include custom attributes.
con risposta 2 anni fa
Contenuto pertinente
AWS UFFICIALEAggiornata 8 mesi fa- AWS UFFICIALEAggiornata 2 anni fa
- Come faccio a configurare Auth0 come provider di identità SAML con un pool di utenti Amazon Cognito?AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa
open ID good