Alexey Kislitsin
Reputation: 796
How can I allow cognito users to access their own S3 folders
What I want is to let groups (families) of aws cognito users to read/write to S3 buckets which should be only available for those families of users.
I created a user with boto3 python library. Now I need to grant this user access to their folder in the bucket.
I found a few posts which suggested to create bucket policy like this:
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Grant user access to his folder",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::BUCKET/users/${cognito-identity.amazonaws.com:sub}",
"Condition": {
"StringLike": {
"cognito-identity.amazonaws.com:sub": [
"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
"us-east-1:yyyyyyyy-xxxx-xxxx-xxxx-xxxxxxxxxx"
]
}
}
}
]}
But it turns out we can not specify "cognito-identity.amazonaws.com:sub" in bucket's policy condition.
Any help is highly appreciated.
Upvotes: 5
Views: 1611
Answers (1)
user3341808
Reputation: 81
I think the policy you have above needs to be in the IAM role for an authenticated user, not part of a bucket policy.
Upvotes: 1
Related Questions
- Restrict S3 Object Access to Specific Cognito Users
- Provide individual access permissions through Amazon Cognito
- S3 Access for only Cognito Authenticated User
- AWS S3 bucket policy to allow access to Cognito users
- Give read/read access to aws S3 to cognito users
- Allow an external user (through Cognito) to access a S3 bucket and console
- Allow Cognito user to Write to S3
- Let Cognito users manage access to "own" S3 folders
- Amazon S3 bucket permission for unauthenticated cognito role user
- Allowing my Amazon Cognito users to upload to specific folder on S3