My application uses Cognito user pools to restrict access so that each user may access their own personal folder read/write in a "private" bucket. In a "public" bucket it is the same, except that everyone has read access to everything and write access only to their own folder. This all works fine when accessed via the JavaScript S3 SDK.
I am now trying to implement access via the API Gateway talking to a Lambda function which accesses S3.
The problem is that it appears that the Cognito Userpool identity is not being used by the Lambda function. If I give the Lambda function role total S3 access then the function is able to access S3 fine and the function works. If however I have the role policies in place to restrict by Cognito Userpool ID as described above, the I get access denied.
It appears to me that the Userpool Cognito Identity is not what the Lambda function is using.
Can anyone suggest the correct configuration for this setup?
thanks