4
votes

I'm using AWS amplify to create an app, where users can upload images using either private or public file access levels, as described in the documentation. Besides this, I've implemented a lambda function which upon request through API gateway modifies an image and returns a link to the modified image.

What I want is that a given user should be able to call the API and modify only his own images, but not that of other users; i.e. allow the AWS lambda function to use the execution role from the cognito user. If I allow the lambda function to access all data in the S3 bucket then it works fine - but I don't want users to be able to access other users images.

I've been at it for a while now, trying different things to no avail.

Now I've integrated the API with the user pool as described here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

And then I've tried to follow this guide: https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/

Which does not work since the "cognito:roles" is not present in the event variable of the lambda_handler (presumably because there are not user pool groups?).

What would the right way be to go about this in an AWS Amplify app? Primarily, I've followed this guide: https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/

1
Did you somehow figure it out? I'd really be interested :-) - ElFitz

1 Answers

0
votes

Use API Gateway request mapping and check permissions in Lambda itself:

  1. Use API Gateway request mapping to pass context.identity.cognitoIdentityId to Lambda. Just it should be a Lambda integration with mapping (not a Proxy integration). Another limitation is that API request should be POST, for GET it's also possible if you map cognitoIdentityId to query string.

  2. Lambda has access to all files in S3

  3. Implement access control check in Lambda itself. Lambda can read all permissions of the file in S3. And then see if owner is Cognito user.