Bucket policy to allow Cognito user in User Pool access to S3 bucket

3
votes

I am trying to add a bucket policy to my bucket because my bucket is in a root aws account, and I want to restricts other users, roles, etc. under the root account from accessing my bucket except for a specific Cognito user in my User Pool.

I do not want to also use an identity pool -- I would just like to refer to the Cognito user as the principal in my bucket policy. Is there any way to do this without using an identity pool? I can't find any example policies that do this.

1
amazon-web-servicesamazon-s3amazon-cognitoamazon-iam
any luck? how did you solve this?saurabh
After further research, I don't think it is possible to refer to a Cognito user as a principal in a policy. When a Cognito user authenticates with a User Pool, they are authenticated in the client's app, not in AWS, i.e. the Cognito user has no access to AWS resources. Since the Cognito user is not an identity known in the scope of AWS, you cannot refer to the user as a principal. You would need to use a federated identity to give the user an IAM role that you can refer to that is understood in the AWS scope, and thus can be referred to in a policy.rooscous
This question is a little old, but I just spent a few days trying to figuring out how to give Cognito Users access to AWS services and thought I would at least confirm since the AWS Documentation is severely lacking :( Identitiy Pool is required. The reason can be explained easily by the summary from this article, which reads: "The Cognito User Pool stores all your users which then plugs into your Cognito Identity Pool which can give your users access to your AWS services."kiddailey

1 Answers

0
votes

You can set the Principle of your bucket policy as the auth role of your Cognito user. In my case, the Principle looks like

"Principal": {
    "AWS": "arn:aws:iam::123456789000:role/NAME_OF_MY-authRole"
},

Then, you can further control the access by changing the Resource. Here is the example from AWS docs.

"arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}",
                "arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*"