How to add & use array values in claims of Cognito's IdToken in AWS IAM policies?

0

Hello, I have a use-case where I need to add custom attributes to AWS Cognito user-pool with array values, e.g.: {"floors": ["1","3", "7"]}.

Then, I want to define a policy that allow access to a resource only if the PrincipalTag ("floors") has an element value ("3") that match the resource tag ("floor"="3").

Can this be implemented via AWS IAM Policy? How?

Thank you.

yossico
已提問 2 年前檢視次數 474 次
1 個回答
0

Cognito only supports string attributes, but you can mimic a multi-value attribute with your own delimiter between and around the values. Take this example using : to separate your floors values:

{"floors": ":1:3:7:"}

Then your aws:PrincipalTag/tag-key check can use StringLike in a Condition with leading *: and trailing :* wildcards to match the floor. This assumes your floor values don't contain : and they aren't user-defined input that would allow someone to inject their own : character.

"Condition": {
  "StringLike": { "aws:PrincipalTag/floor": "*:3:*" }
},
profile pictureAWS
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南