I have hundreds of S3 buckets and dozens of users in Cognito User Pool. I want to be able to select which user can access which S3 bucket, for example:
user_a can access bucket_1, bucket_2, bucket_3user_b can access bucket_2user_c can access bucket_1, bucket_4
and so on.
I would love to be able to do it without creating a dedicated API creating a dynamic policies. I thought about utilising Cognito Identity Pools and Attribute-based access control.
There is a cool example where an user gets an attribute "department": "legal" and is then assigned a role that is allowed to query only the buckets with -legalsuffix, thanks to ${aws:PrincipalTag/department} magic.
If my users were to access only one bucket, that would be a solution. However, in my case a user could get assigned to dozens or hundreds of buckets (think "multiple departments" in the example from AWS docs).
I thought of using multiple custom attributes on each user:
bucket_1: truebucket_2: falsebucket_3: false- ..and so on
and creating a policy that allows you to access given bucket_n if and only if you have an attribute bucket_n: true.
This would work if I had at most 50 buckets (the hard limit of Custom Attributes in Cognito).
In my case, this value is slightly higher (a couple hundreds). I can have users having access to 200+ buckets as well as ones being allowed to only one bucket.
Is there any way to achieve my goal with Cognito Identity Pools and IAM Policies?
AWS OFFICIALUpdated 5 months ago
