Hello,
I am using a pre-token generation trigger to add some custom claims into a user's JWT token. One of the custom claims I am adding is "business_id" which maps a user as belonging to a particular business in my multi-tenant SaaS app.
NOTE: this is not an editable cognito user pool custom attribute. This JWT claim is added programmatically as described above using a pre-token generation trigger.
In the Authenticated role I can restrict access to an S3 path based on each user's unique ID (Cognito sub) using this variable in my IAM policy:
${cognito-identity.amazonaws.com:sub}
Like so:
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:HeadObject",
"s3:PutObject"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{ "Ref": "S3Bucket" },
"/user/${cognito-identity.amazonaws.com:sub}/*"
]
]
}
]
}
Is there a way to do something similar with a custom claim? Like my example of having a "business_id" custom claim? I need all my users that belong to the same business (id) to have access to the same S3 path.
I tried replacing the IAM template variable using 'sub' with 'business_id' but it did not work, I still get access denied.
${cognito-identity.amazonaws.com:business_id}
I know there is a way to map an IAM role to a authenticated user, but this approach would mean I could end up needing 100s or 1000s of IAM roles whose only difference would be the "business_id" value being hardcoded into the S3 path to allow access for.
Again, business_id is not an editable Cognito user pool custom attribute. So, I shouldn't need to worry about a user's business_id changing and giving them access to resources that they should not have access to.
All help and ideas are very appreciated!
Thanks!
Erik
Edited by: paulsson-cs on Feb 27, 2020 12:35 PM