Custom Identity Provider - Restricted

Question

If using a custom identity provider, can the lambda return a value in the user authentication response that indicates the user should be operating in 'restricted' mode? The built-in provider has a checkbox, but the custom identity provider documentation doesn't mention any return values that communicate that the user was stored as 'restricted' and therefore should only be allowed to access the home folder.   
  
I have yet to be able to create a working scope-down policy that performs the 'restricted' mode. All the examples continue to fail with 'Access Denied'. Setting the policy to allow read/write to the S3 directly works, but obviously gives the user access to navigate throughout the S3 bucket.   
  
Allowing the custom identity provider to specify 'Restricted' would eliminate the scope-down policy complexity.

Answer

I think I just realized the Logical home directory type with mapping of a top-level path to the S3 path IS the restricted mode.

Answer

Hello jtd,   
  
To use Restricted mode with Custom Identity Provider, you would have your IDP or your Lambda function return the HomeDirectoryDetails field along with the HomeDirectoryType field.   
  
HomeDirectoryDetails field specifies your User configuration or landing directories within S3/EFS. HomeDirectoryType field specifies whether you want Logical Directories or Path based Directories. Logical is one that imitates the Restricted Option on AWS Console.   
  
Example:

```
HomeDirectoryType: LOGICAL
HomeDirectoryDetails: [{"Entry": "/folder-a", "Target": "/my-bucket/folder-a"}]
```

You can also find more details on Logical Directories in the following blog post - https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/  
  
Let me know if you have further questions.   
Sagar

Custom Identity Provider - Restricted

相關內容