Hi there,
My goal is to have authenticate users using my web app, then to allow them restricted access to S3 and Rekognition. They should only be able to access their own S3 bucket, and only run IndexFaces and SearchFaces on a rekognition collection they belong to
Right now I use Cognitio Federated Identities. I create the user using CognitoIdentity.getOpenIdTokenForDeveloperIdentity. Then I use STS.assumeRoleWithWebIdentity to give the user access to a role that has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::xxx/users/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::xxx/users/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
This allows the user to only put and get objects that belong to their bucket, but noone elses.
However, I'm having a hard time figuring out how I can change this policy to also allow access to their own Rekognition Collection. Bearing in mind that sometimes more than one user belongs to the same rekognition collection.
Is there some way this can be done with cognito federated identities? Or do I need another approach?
Thanks for your time,
Josh
