How to add & use array values in claims of Cognito's IdToken in AWS IAM policies?

Question

Hello,
I have a use-case where I need to add custom attributes to AWS Cognito user-pool with array values, e.g.:
{"floors": ["1","3", "7"]}.

Then, I want to define a policy that allow access to a resource only if the PrincipalTag ("floors") has an element value ("3") that match the resource tag ("floor"="3").

Can this be implemented via AWS IAM Policy? How?

Thank you.

Answer

Cognito only supports string attributes, but you can mimic a multi-value attribute with your own delimiter between and around the values.  Take this example using `:` to separate your floors values:

`{"floors": ":1:3:7:"}`

Then your [aws:PrincipalTag/tag-key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag) check can use `StringLike` in a `Condition` with leading `*:` and trailing `:*` wildcards to match the floor.  This assumes your floor values don't contain `:` and they aren't user-defined input that would allow someone to inject their own `:` character.

```
"Condition": {
  "StringLike": { "aws:PrincipalTag/floor": "*:3:*" }
},
```

How to add & use array values in claims of Cognito's IdToken in AWS IAM policies?

관련 콘텐츠