Allow Cognito user to Write to S3

2
votes

I have an embedded device that requires the ability to write to S3. I want to avoid giving the embedded device an actual AWS IAMUser. I am looking at using Cognito to gain write access to S3.

I have a user pool with a group and one user (for now). The group has an attached policy which permits access to write to a certain S3 bucket. The pool is setup so that only admins can create new users. I have managed to authenticate the cognito user and have got access to refresh tokens and the idTokens. I am looking to use these tokens to write to my s3 bucket.

I am trying to follow trying to follow the documentation but am getting confused. I think i need a federated identity pool but i have no requirement for a public provider. I just want my cognito user group to write to s3.

Is there a simple solution to allow a cognito user to write to S3 without federated identities or if not do i require a back end to serve a token for a federated identity?

I have been using warrant https://github.com/capless/warrant to authenticate as so:

from warrant.aws_srp import AWSSRP                                                                                                                                                                                                                                                    
import boto3                                                                                                                                                                                                                                                                          

client = boto3.client('cognito-idp')                                                                                                                                                                                                                                                  

aws = AWSSRP(username='<username>', password='<password>', pool_id='<pool>',                                                                                                                                                                                            
         client_id='<clientid>', client=client)                                                                                                                                                                                                              

tokens = aws.authenticate_user()

Any tips would be greatly appreciated!

1
amazon-web-servicesamazon-s3boto3amazon-cognito
You need to call STS AssumeRoleWithWebIdentity to use the Cognito token to retrieve temporary AWS credentials that you then use for S3. By the way, the original blog post that introduced User Pools (as a self-managed alternative to what are now called Federated Identity Pools) is helpful: aws.amazon.com/blogs/aws/new-user-pools-for-amazon-cognito. No need for Facebook etc. - jarmod

1 Answers

4
votes

You do need a federated identity pool. In the identity provider section you choose Cognito and enter your pool ID and pool client ID. Then, you need to provide the identity pool with authenticated and unauthenticated roles. You can use these roles to provide that S3 write access.

This is the default behavior for the identity provider setup. If you want the Role to come from the group that your user is in, you will need to set the Choose role from token option in the identity provider section under where you provided your pool and client id.