TKirahvi
Reputation: 318
Defining IAM Roles for Identity Pool with CloudFormation to access s3 bucket
I'm trying to define authorized/unauthorized roles for Identity Pool connected to User Pool with Cloud Formation. I'm using these instructions: https://docs.amplify.aws/lib/storage/getting-started/q/platform/js#using-amazon-s3
But so far I have not succeeded with it. When UI calls Amplify.configure with the identity pool id, I get "Invalid identity pool configuration. Check assigned IAM roles for this pool."
This is what I have:
MyCognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
...
MyCognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId: !Ref MyCognitoUserPool
GenerateSecret: false
MyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
CognitoIdentityProviders:
- ClientId: !Ref MyCognitoUserPoolClient
ProviderName: !GetAtt MyCognitoUserPool.ProviderName
MyIdentityPoolAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- authenticated
Policies:
- PolicyName: identity-pool-auth-cognito-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-identity:*
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-auth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:DeleteObject
- s3:GetObject
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- Fn::Sub:
- '${documentBucket}/protected/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- Fn::Sub:
- '${documentBucket}/private/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- PolicyName: identity-pool-auth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
- 'private/${cognito-identity.amazonaws.com:sub}/'
- 'private/${cognito-identity.amazonaws.com:sub}/*'
MyIdentityPoolUnAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- unauthenticated
Policies:
- PolicyName: identity-pool-unauth-sync-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-unauth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- Fn::Sub:
- '${documentBucket}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
MyIdentityPoolRoleAtt:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref MyIdentityPool
Roles:
"authenticated": !GetAtt MyIdentityPoolAuthRole.Arn
"unauthenticated": !GetAtt MyIdentityPoolUnAuthRole.Arn
```
Upvotes: 0
Views: 1345
Answers (1)
lemming
Reputation: 1863
To me there looks to be a couple of issues with the trust policies of your Auth and Unauth roles:
Firstly, the Action that the roles allow should be sts:AssumeRoleWithWebIdentity and not sts:AssumeRole.
AssumeRolegives additional temporary permissions to existing IAM users. AssumeRole requires existing valid IAM user credentials.AssumeRoleWithWebIdentitygives temporary credentials to app users that have been authenticated by some web identity provider (such as Cognito User Pools, or Facebook, etc).
Secondly, the condition part of your trust policy should read as follows:
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !Ref MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- authenticated # or unauthenticated
The cognito-identity.amazonaws.com:aud part limits the assignment of this role to users who are members of your specific identity pool, whereas you were referencing the arn of your S3 bucket.
Upvotes: 2
Related Questions
- Can I setup AWS Cognito User Pool Identity Providers with Cloudformation?
- Using CloudFormation, how can I create an Identity Pool that authorizes based on User Pool roles?
- CloudFormation, S3 bucket access to cross-acccount IAM role
- How do i create an IAM user with s3 permission using cloudformation?
- AWS Cloudformation can not create stack when AWS::Cognito::IdentityPoolRoleAttachment resource has RoleMappings attribute
- Create Policy in Cloudformation Granting Access to s3 Buckets From Separate AWS Account
- Setting up cross account access of IAM user/role
- Add a role to an AWS Cognito Identity Pool via Cloudformation
- IdentityPool Creation with CloudFormation
- AWS CloudFormation Template for an IAM Group That May Only Access a Specific S3 Bucket