Using a Cognito custom attribute as a principal tag in an IAM policy condition is not working


Here's the setup:

  • User Pool custom attribute: custom:journalSubscription
  • User Pool app client: has read/write permission for the custom attribute
  • Example user: has custom attribute custom:journalSubscription set to true
  • Identity Pool ABAC custom mapping: "Attribute name" of custom:journalSubscription ---maps to---> "Tag key for principal" of journalSubscription
  • IAM policy: uses a condition for "StringEquals" where "aws:PrincipalTag/journalSubscription" must equal "true"

Problem: the SDK call fails with this error:

User: <<AUTH_ROLE>> is not authorized to perform: dynamodb:GetItem on resource: <<ARN_FOR_MY_DynamoDB_TABLE>> because no identity-based policy allows the dynamodb:GetItem action

Note: the SDK call works fine with an IAM policy that uses a condition for a non-custom attribute such as "aws:PrincipalTag/email". It's just that for custom attributes, the call fails.

How can I make this work?

1 Answer
Accepted Answer

In the app client settings, for the OpenID Connect scopes, add profile. This allows the app client to retrieve "profile" attributes which seems to include custom attributes.

profile picture
answered 3 months ago
profile picture
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions