Congito Federation identity aws credential permission access to cdn origins3

0

Good morning, I would like to explain my problem and understand what the best solution is for my use case. My IDP is known where I manage users and groups. I have 2 groups: ADMIN,USER ADMIN can see all files in all buckets USER only its files that are in the ${username}/* bucket path. I saw that there are a series of solutions with AWS to solve this problem.

  1. solution I created an AWS federated identity using my congito pool as a provider and then I made a mapping between the cognito groups and the related IAM roles. By doing this I was able to obtain an iam role associated with the current logged in user. Example of iam role. iam role associated with USER *{ "Version": "2012-10-17", "Statement": [

      {
          "Sid": "ReadYourObjects",
          "Effect": "Allow",
          "Action": [
              "s3:GetObject",
           
          ],
          "Resource": [
              "arn:aws:s3:::dev-v4-*/${aws:PrincipalTag/username}*"
          ]
      }
    

    ] }* iam role associated with ADMIN *{ "Version": "2012-10-17", "Statement": [

      {
          "Sid": "ReadYourObjects",
          "Effect": "Allow",
          "Action": [
              "s3:GetObject",
         
          ],
          "Resource": [
              "arn:aws:s3:::dev-v4-*/*"
          ]
      }
    

    ] }* In this way, using the AWS federated credentials associated with the cognito token, I can directly invoke s3 bucket to view the files and have protection with different groups. By doing this I could also directly invoke other AWS services such as dynamodb directly and manage the permissions from the iam role associated with the group My problem, however, is that I would like to access the S3 files not directly but through a cloudfront that caches the information for me, and that protects them with the user's associated IAM policy. but I can't find any information about it. Is there a way to invoke the CDN URLs with federated AWS cognito credentials so as to get to the resource with the IAM role associated with the request and manage protection using AWS policies on the S3 resource inside the CDN?

1 Answer
0
Accepted Answer

Excuse me but my question is different, I don't want to use a lambda@edge function in viewer_request(authoriz) but I would like a flat url that has associated aws credentials to invoke the resource within cloudfront. to directly invoke s3 I use amplify which generates the url for s3. I would like equivalent for cloudfront if it exists?

example of creating the s3 url with aws credentials retrieved from congito.

  • Amplify.Storage.configure({ region:region , bucket: resource.s3Bucket , level: 'public', credentials: currentUserCredentials.value, customPrefix: { public: '', } }); resource.s3PublicUrl = await Storage.get( resource.s3Key );*

URL like this: https://@mybucket.s3.eu-west-1.amazonaws.com/resources/company-b/ce424f31-4901-451f-a105-8539f67204ec/04e5270d-bf16-46b0-9393-f9e25584f45a_image-25.jpg?x -amz-content-sha256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855&x-amz-user-agent=aws-amplify%2F5.3.13+storage%2F2+framework%2F4&X-Amz-Algorithm= AWS4-HMAC-SHA256&X-Amz-Credential=ASIA2CEJGFIT773UNRXO%2F20240208%2Feu -west-1%2Fs3%2Faws4_request&X-Amz-Date=20240208T114456Z&X-Amz-SignedHeaders=host&X-Amz-expires=900&X-Amz-Security-Token=IQoJb3JpZ2lu pIqTwYZdqi4X8%2BTNd5hPSK3tQa5CR3YX1dAIgO2dUkJdUGzdo4WlSgau0dXUiWOvjz2fNMQdtmFOESjkqyAUI7f%2F%2F%2F%2F%2F%2F%2F %2F%2F%2FARADGgw2OTE3Nzc0NDg0ODciDIKAhP9SwjLeXc%2B%2B8yqcBdLlnIOs5AQAbWtGpnIrS4iW9xpTScjlTkW38UrsrddmclOgDaWBu%2Fk9UuGB3tT1ejBkuF%2Bz%2FLqi6%2Fe QjEBQ4tKuDEepkXGV7qgd4mTjeLXzjgvnaD8UAkNTYDqG1p%2ByjugApyQFs8q%2FnEWZKca13niuO3%2BFKiLiSv3vgLCZAs7s0aRgMghOHeYLbCKZ2jFQc7jOj1laXg2V0uiNVLnfGNWC9IVkBr J6xPGP2P8i9YIq6XU8aCxQawGWFl4rod9oj6Tj5aH6hONiuTYIQfTvRj07UdiFAeRyxcsA%2BIhOr3isj%2FYgXhhDN4EnAtm7vHpr4Wqd7X7VomDsBWIjkvYQFie5eFiCc3NjM9tVZJ8LX t8JImXkgJFTg3T4bghT6nzoRXEgKVSfh6goaSih2xGk3mC2E%2FxQUpEBVRDna8KAH5CjwdQBrwUWbkzGYEtlM5HvWzbuzLyjnpEspsl7HSrij8R24Ft3vjeUJblU2JFtgR3G04g3c%2FD728Q q%2BIk79ATBgCd0V9zhZsXALm1Lb4D4z59mzNaRqwpC4J57Si4v8G2wjd5s%2F2yM7PUD05QyAhfpUNLtkKmnAegKvjYf2UBYXHQ2yszYg5r03qo2fySPWN07AgOTAbvHJ7K%2FrESua1Di 8CgfQdO%2FoZoNdFCt7XBgU9HWSde9Xy3BtyRzLGGzpogmYtFmbj2QICaNTXe0JfKrgH6W4UQ0Tbwu57DIsr8seuvpsVSm1eurUjXcOVKfQm7XUsXPAY69AWuD14g0E4l%2FCR43DAyzS32Cf2yIO 8FGjvZN7XR9q3MpD75q2ZVNY9XINOpIIglAlra9yVi%2FvTJOFGX4zPu186sdLcWLq4lxmGeDBV0umWwLDQbTzIAfNugu8%2B8Jrhmi0bm%2BnCBeMLj9kq4GOoUCpiytjf3GgFdBsvrKbpk5f6d 51m0af92tW%2BXWG21f0SeKnRccGq271WUHGuOM %2FGMdfDLMH62Ske3Mn2jym3LZ7XofYeOBL%2BxuAQdCPdJaFuyp6tOzKhbdN9M%2FhLCN5317MbP3h4Ky6uJB4jYAXxNtYFYT2q7iXEvPdzlJX9mFWfWZ0VCfXMugIDBEhgsdPIMdHPx 8tnrr78RzEIFoP9Fds1rLIrth%2B1f2z2vwvjp06g1EJ3JT5fvO%2Fry9FuRCSOFsSsLrImrCWYpv5ZGSV9Vz8pYxUkTS7XpNvjFKJEuy4PlCuYyGIhU%2Fju%2BZjVQ74J4aHxDUFjG ejHiykP0FFOmAzPp4vbEx&X-Amz-Signature=69988c04e9ae8bf987417920099b61e5a2c8b9af6167d399e0233ee6ca64ea92

tino
answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions