- Newest
- Most votes
- Most comments
First, for you to be able to limit access to a leading key in a Dynamo table, you need AWS credentials for a specific end user. The easiest way is to get credentials for your user pools end user is to integrate your Cognito User Pool with Cognito Identity Pools https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html If you do this, you will be able to use ${cognito-identity.amazonaws.com:sub} in your role policy. Note that the sub will not be the sub of the user in Cognito User Pools, but the identity id of the identity the end user is associated with in Cognito Identity Pools.
However, you are asking about the sub for the Cognito User Pool user. Let us send you a private message to see if we can find an alternative that works. Will post back if we have a general solution.
I got the answer now. You are only able to use the
${cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXXX:sub}
variable if you configure the Cognito User Pool as an open ID Connect provider directly against IAM.
But there is a big problem, because you need to update the SSL Thumbprint of the service endpoint if the certificate changes in the Open ID Connector configuration. But you are not able to tell when the aws certificate has changed.
Its been 3 years since this question was asked...do we have a good clean solution for this yet?
If you want to use the user pool sub
value as a partition key, you can map it to a principal tag in the identity pool. In the identity pool, go to User access -> Identity providers. In the Mappings section, choose Custom mapping. Enter a name for the tag key, e.g., userId
, and enter sub
for the claim. Then you can use it in the role's policy like this:
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${aws:PrincipalTag/userId}"
]
}
}
Alternatively, you can use the policy in the question with "${cognito-identity.amazonaws.com:sub}"
. As written above it's the user's ID in the identity pool. You can get this ID by calling the GetId endpoint in Identity Pools. The payload will contain the identity pool ID and, if the user is authenticated, the Logins
property, which consists of the user pool id and the ID token the user receives after signing in. You'll get an IdentityId
in the response, and this value should be the partition key in the table.
Relevant content
- asked 3 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
hello, have you found a solution to access the
sub
attribute of the user in the user pool? I need this variable to update my IoT resource policy.