- Newest
- Most votes
- Most comments
Hello
If I understand your question, you are looking for some guidance on Role-based control access This document could help you with that.
As you will see on that link, you can map either authenticated or unauthenticated users and allow them to assume a specific role. You can specify default IAM roles for authenticated and unauthenticated users using cognito. When Amazon Cognito creates a token, it sets the **amr ** of the token as either "unauthenticated" or "authenticated", and in the authenticated case will include any providers used during authentication.
It is important to add the appropriate trust policy for each role so that it can only be assumed by Amazon Cognito for authenticated users in your identity pool. Here is an example from the article of such a trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:12345678-corner-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
This policy allows federated users from cognito-identity.amazonaws.com to assume this role. Additionally, the policy restricts the **aud **of the token, in this case the identity pool ID, to match the identity pool (as I mentioned before in the authenticated case will include any providers used during authentication). Finally, the policy specifies that one of the array members of the multi-value **amr ** claim of the token issued by the Amazon Cognito GetOpenIdToken API action has the value authenticated.
Take care and stay safe, Best regards,
Igvir
Relevant content
- Accepted Answerasked 4 years ago
- asked 3 years ago
- asked 5 months ago
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thank you for the answer, Igvir. We appreciate it.
AWS-User-0219409, Thank you for using re:Post. Let us know if this answers your question. If this solved your issue, please remember to click on the "Accept" button to let the community know that your question is resolved. This helps everyone. Thank you in advance.
Hi Igvir, Thanks for your reply.
Actually, I'm looking for something that is related to leverage of authentication of Cognito profile for S3 bucket access which allows anonymous access to the S3 bucket.
We have integration with Salesforce via SDK, where we are looking for authentication of Cognito profile before accessing the AWS S3(bucket) resource. Any help on this would be really appreciated.
Thanks
Just to be clear, the AMR isn't a string, it's an ARRAY of strings. ONE of those strings might be "authenticated" or "unauthenticated." I can't find where AWS specifies what else might be in there. Regardless, the fact that it's an array is the reason you have to use ForAnyValue in the StringLike condition. If you get an error from the error pool saying your IAM role is invalid, double check you used ForAnyValue:StringLike and not just StringLike.