By using AWS re:Post, you agree to the Terms of Use

'Access Denied' when access s3 from angular app with cognito user pool


I have S3 bucket which I configured to manage access using cognito user pool, as described here

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket-name>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "cognito/<app-name>/"
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
            "Resource": [

I have angular web app which authenticate users with cognito user pool, and I'm using S3 client to get object. I see a call to cognito service ( is made successfully, and an identity is returned as a response, but the immediate call afterwards to s3 is failing with status code 403:

<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>AAC2B5FC5C74C971</RequestId><HostId>l8AOygYbUT+Y1QhTjHydRJ9Uxc97ElSZ+l6H2RQlNglpQuZrqQPW532U6Pixil7YPZ4ugpreoSs=</HostId></Error>

Here's my code setting AWS creds:

    buildCognitoCreds(idTokenJwt: string) {
        let url = 'cognito-idp.' + CognitoUtil._REGION.toLowerCase() + '' + CognitoUtil._USER_POOL_ID;
        if (environment.cognito_idp_endpoint) {
            url = environment.cognito_idp_endpoint + '/' + CognitoUtil._USER_POOL_ID;
        let logins: CognitoIdentity.LoginsMap = {};
        logins[url] = idTokenJwt;
        let params = {   
            IdentityPoolId: CognitoUtil._IDENTITY_POOL_ID, /* required */
            Logins: logins
        let serviceConfigs = <awsservice.ServiceConfigurationOptions>{};
        if (environment.cognito_identity_endpoint) {
            serviceConfigs.endpoint = environment.cognito_identity_endpoint;
        let creds = new AWS.CognitoIdentityCredentials(params, serviceConfigs);
        return creds;

What am I missing?
No matter what I try, I'm getting Access Denied.

asked 4 years ago228 views
1 Answer

My mistake was reffering to ${} as cognito user pool sub instead of cognito identity pool id.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions