When I use the GetFederationToken API to generate temporary credentials, the ${aws:userName} policy variable doesn't work.
Resolution
When the Principal element is a federated user, the ${aws:userName} AWS Identity and Access Management (IAM) policy variable isn't in the request. Instead, use the ${aws:userID} policy variable with GetFederationToken API calls. For more information, see Where you can use policy variables.
In the following JSON policy example, the ${aws:userName} policy variable is replaced with the ${aws:userID} policy variable:
{ "Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowListingOfUserFolder",
"Action":[
"s3:ListBucket"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::TESTBUCKET"
],
"Condition":{
"StringLike":{
"s3:prefix":[
"TESTBUCKET/${aws:userid}/*"
]
}
}
},
{
"Sid":"AllowAllS3ActionsInUserFolder",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::TESTBUCKET/${aws:userid}/*"
]
}
]
}
The value for the aws:userid variable must be ACCOUNTNUMBER:caller-specified-name.
The Name parameter value for GetFederationToken API calls must follow the GetFederationToken guidelines. For example, if you specify the friendly name Bob, then the correct format is 123456789102:Bob. This format names your session and allows access to the Amazon Simple Storage Service (Amazon S3) bucket that has a matched prefix.
Note: The preceding example assumes that the caller-specified friendly name of the aws:userid variable is a unique identifier. A unique friendly name doesn't allow another user with the same friendly name access to resources that are specified in the JSON policy.
Related information
Permissions for GetFederationToken
IAM policy elements: variables and tags
IAM identifiers