Cognito / S3 User Specific Policies

Question

I am using the AWS SDK for Android alongside Cognito to authenticate users (via Login With Amazon) to my AWS resources. What I am attempting to do is to setup an S3 bucket like so:

./my-bucket
  ├── first_user@email.com
  └── second_user@email.com

So, the my-bucket bucket will have folders based on the user's e-mail address.

My first stab to setup the policy was as such:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::my-bucket"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket/${www.amazon.com:user_id}",
        "arn:aws:s3:::my-bucket/${www.amazon.com:user_id}/*"
      ]
    }
  ]
}

As a test, I am trying to download a folder for a user like so:

final Map logins = new HashMap();
logins.put("www.amazon.com", token);
credentialsProvider.withLogins(logins);

final TransferManager transferManager = new TransferManager(credentialsProvider);
MultipleFileDownload download = transferManager.downloadDirectory("my-bucket", "first_user@email.com", new File("/sdcard/Download"));

However, when I run this I get a "Forbidden" exception. If I modify the policy to explicitly reference first_user@email.com rather than ${www.amazon.com:user_id} it works fine.

Question

1. Is this even possible to be able to use the LWA user's e-mail address to configure it like this?
2. Is there a way to log actually what parameters are happening when I make a request?

I've seen references like this but I'm not sure which ones actually apply. It would be fantastic if I were somehow able to see what values are coming across when I make a request.

Thanks in advance.

Answer 1

In answer to your questions:

1. No it is not possible to do this with Cognito or web identity federation with just Login with Amazon. The identifiers returned in this flow are pseudo-anonymous. Cognito IDs will be of the form us-east-1:abcd-123456-xxxxx-xxxxx-xxxx. If you use Login with Amazon directly, the IDs would be of the form amzn-1234567890.
2. The IDs vended from Cognito are available on the credentials provider by simply calling the getIdentityId method. If you are using the raw web identity federation flow, the AssumeRoleWithWebIdentityResult class contains the values for the provider, application/audience and user id.