I have a hard time assigning an IAM role to a user depending on the cognito-identity.amazonaws.com:sub Key using the Condition element.
When setting up the identity-pool using AWS Cognito you can specify an «Authenticated role» where i selected the app-authenticated role.
I have two IAM Roles:
app-authenticated
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "eu-central-1:fa078075-9622-4f0d-8789-700105a9e612"
},
"StringNotEquals": {
"cognito-identity.amazonaws.com:sub": "eu-central-1:555540a6-cd49-44b2-bbd8-02cfa73b3510"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
and
app-authenticated_admin
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "eu-central-1:fa078075-9622-4f0d-8789-700105a9e612",
"cognito-identity.amazonaws.com:sub": "eu-central-1:555540a6-cd49-44b2-bbd8-02cfa73b3510"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
The Problem is that whoever loggs in, he always gets the app-authenticated role, also the one user with the sub «555540a6-cd49-44b2-bbd8-02cfa73b3510» (copied from userPool -> users -> user detail -> sub) which I would expect to get the app-authenticated_admin role. Is anyone expecting something similar, or am I missing some basic concepts for such a simple scenario?
