Varun Gawande
Reputation: 1120
How to specify User's IdentityID when configuring IdentityPool's Authenticated IAM Role
Consider the following:
- An AWS Cognito Identity Pool (Identity Pool ID:
us-east-1:abc) - A User that exists in the above pool (Identity ID:
us-east-1:xyz) - An AWS IoT Core Policy (or any AWS resource)
I want the Cognito Users to be able to run
aws iot attach-policy --policy-name <policy-name> --target us-east-1:xyz
But ONLY ON this particular Identity Pool (this is fine, we have the ARN),
AND on their OWN "Identity Id", i.e us-east-1:xyz.
I want to set up the Authenticated Role for this Identity Pool such that when Users (after they get AWS Creds) attempt to do this action(iot:AttachPolicy) it's only permitted on their own Identity ID.
For example:
- Effect: Allow
Action:
- iot:AttachPolicy
Resource:
- "${Some Placeholder that resolves to (Principal) User's Identity ID}"
- !GetAtt IoTCorePolicy.Arn
NOTE:
- A Cognito User's Identity ID IS NOT THE SAME as its UserPool
Subvalue. - Part of the issue is that Identity Id DOES NOT follow the ARN format.
I am new to Identity Pools and am not finding the documentation relevant to my use case.
If you have any idea please let me know.
Upvotes: 0
Views: 26
Answers (0)
Related Questions
- AWS Cognito: How to trigger lambda on user signup to attach IoT policy?
- Terraform, getting output from null_resource, local-exec and the AWS CLI
- Defining proper IAM role for Cognito SMS using Terraform
- AWS Cognito role: Distinguish between Federated Identity Pool roles and User Pool Group roles
- IdentityPoolRoleAttachment Resource cannot be updated
- Controlling access to AWS IoT policy actions for Cognito identities