- Newest
- Most votes
- Most comments
Ok, I found a good working solution. IAM and Cognito still does not allow you to use custom JWT claims in IAM permissions. This only works for a small subset of claims that Cognito sets by default like the Cognito user sub:
${cognito-identity.amazonaws.com:sub}
The approach I took was to use S3 pre-signed URLs after verifying that the calling user is allowed access to the file in S3.
Basically, I was able to add a AppSync GraphQL query to my existing GraphQL API in my Amplify stack. This new GraphQL query is backed by a lambda function which verifies that the calling user belongs to the same business as the file being requested before generating and returning the S3 pre-signed URL.
Hope this can help someone else out. I think this would be a very common use-case in multi-tenant apps.
Relevant content
- asked 8 months ago
- asked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 months ago