By using AWS re:Post, you agree to the Terms of Use

Using Custom Authorizers with AWS Service Integrations


I am trying to use a custom authorizer to return an id with restricted aws service access (as indicated by Approach 2 in the initial response in this forum post:

I want to restrict the user to a List operation on specific S3 bucket/folder using the Javascript api in the browser.

The docs suggest that
setting the method execution role to arn:aws:iam:::user/ will enable the api method to use the current callers identity (which I assume is returned by the custom authorizer)

However when I try and configure a method like this in the console I get the following error in a nice red box at the top of the console:
Caller provided credentials are only supported for Lambda, SNS, SQS, DynamoDB, and S3.

The AWS Service drop down is set to Simple Storage Service (S3).

Why won't this work?

1 Answer

Note that the Exution Role should have been arn:aws:iam::**:user/** not arn:aws:iam:::user/ as shown below due to code formatting.

Anyhoo, after returning to this and attempting to to define a new API action integrating with a AWS service from scratch I got the following message:

AWS_IAM Auth type is required for AWS integrations with identity forwarding specified

Naturally searching for this statement generated absolutely nothing so in a rare moment of inspiration occasioned by a cup of coffee I tried:

arn:aws:iam::<my aws account>:user/*

And lo and behold the waters parted and the save button worked!

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions