Allow Users Signed In Using Amazon Cognito to Access their Own Amazon S3 Folder

By | April 19, 2015

Amazon Cognito is an easy way to use web identity federation in your mobile app. Using Amazon Cognito, you can provide access to AWS resources for users who have signed in to your app using a third-party identity provider like Login with Amazon, Facebook, Google, or any Open-ID Connect (OIDC) compatible identity provider instead of using an IAM user. To use Amazon Cognito for web identity federation, you create a role that determines what permissions the federated user will have. You can create one role for authenticated users. If your app allows unauthenticated (guest) users, you can create a second role that defines the permissions for those users.

For more information about Amazon Cognito, see the following:

  • Amazon Cognito Identity in the AWS SDK for Android Developer Guide
  • Amazon Cognito Identity in the AWS SDK for iOS Developer Guide

The following example shows a policy that might be used for a mobile app that uses Amazon Cognito. The condition makes sure that the user has access to objects in the Amazon S3 bucket represented by EXAMPLE-BUCKET-NAME only if the object’s name includes a provider name (here, cognito), the friendly name of the application (here, mynumbersgame), and the federated user’s ID.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"],
      "Condition": {"StringLike": {"s3:prefix": ["cognito/mynumbersgame/"]}}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}",
        "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}/*"
      ]
    }
  ]
}
Сomments аrchive