1. 技术文章
  2. Cognito / S3 User Specific Policies

Cognito / S3 User Specific Policies

三世轮回 提交于 2019-12-22 10:48:10

问题


I am using the AWS SDK for Android alongside Cognito to authenticate users (via Login With Amazon) to my AWS resources. What I am attempting to do is to setup an S3 bucket like so:

./my-bucket
  ├── first_user@email.com
  └── second_user@email.com

So, the my-bucket bucket will have folders based on the user's e-mail address.

My first stab to setup the policy was as such:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::my-bucket"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket/${www.amazon.com:user_id}",
        "arn:aws:s3:::my-bucket/${www.amazon.com:user_id}/*"
      ]
    }
  ]
}

As a test, I am trying to download a folder for a user like so:

final Map logins = new HashMap();
logins.put("www.amazon.com", token);
credentialsProvider.withLogins(logins);

final TransferManager transferManager = new TransferManager(credentialsProvider);
MultipleFileDownload download = transferManager.downloadDirectory("my-bucket", "first_user@email.com", new File("/sdcard/Download"));

However, when I run this I get a "Forbidden" exception. If I modify the policy to explicitly reference first_user@email.com rather than ${www.amazon.com:user_id} it works fine.

Question

  1. Is this even possible to be able to use the LWA user's e-mail address to configure it like this?
  2. Is there a way to log actually what parameters are happening when I make a request?

I've seen references like this but I'm not sure which ones actually apply. It would be fantastic if I were somehow able to see what values are coming across when I make a request.

Thanks in advance.


回答1:


In answer to your questions:

  1. No it is not possible to do this with Cognito or web identity federation with just Login with Amazon. The identifiers returned in this flow are pseudo-anonymous. Cognito IDs will be of the form us-east-1:abcd-123456-xxxxx-xxxxx-xxxx. If you use Login with Amazon directly, the IDs would be of the form amzn-1234567890.
  2. The IDs vended from Cognito are available on the credentials provider by simply calling the getIdentityId method. If you are using the raw web identity federation flow, the AssumeRoleWithWebIdentityResult class contains the values for the provider, application/audience and user id.


来源:https://stackoverflow.com/questions/25679206/cognito-s3-user-specific-policies

标签
android
amazon-web-services
amazon-s3
amazon-cognito
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!