Im able to only allow logged in users to access my Api gateway endpoint via Cognito Authorizer. The next step is to allow users to only access their data in Dynamodb. For that Im taking the role ARN (which is defined in my user group) from the lambda request event, and assuming that role before querying Dynamodb. Here's my DynamoDB policy. If I hardcode the cognito user pool sub, which matches the portion key on the table, it works, which means my policy is correct. I just can't figure out how to dynamically get the user pool sub in the policy.
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Update*",
"dynamodb:Delete*"
],
"Resource": [
"arn:aws:dynamodb:*:*:table/table-name-db",
"arn:aws:dynamodb:*:*:table/table-name-db/index/*"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
<NOT SURE WHAT TO ADD HERE>
]
}
}
}
]
}```
Thanks for your reply. "${cognito-identity.amazonaws.com:sub}" doesn't work unless you are using the indentity pool id as the partition key. In my case Im suing the user pool sub as partition key.