1. 技术文章
  2. DynamoDB fine-grained access control: is it possible to use ${cognito-identity.amazonaws.com:email}?

DynamoDB fine-grained access control: is it possible to use ${cognito-identity.amazonaws.com:email}?

谁说我不能喝 提交于 2019-12-06 07:52:54

问题


My users have Cognito accounts.

According to this article we can restrict access to the DynamoDB API with policy like that:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb: <REGION>:<AWS_ACCOUNT_ID>:table/<TABLE>"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

Looks pretty straightforward for my case when index key is email (and primary sort key is utc), so I adjusted example above to this one:

    {
        "Effect": "Allow",
        "Action": "dynamodb:UpdateItem",
        "Resource": "arn:aws:dynamodb:us-east-1:123456789123:table/history",
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito-identity.amazonaws.com:email}"
                ],
                "dynamodb:Attributes": [
                    "email",
                    "utc",
                    "updated",
                    "isNew"
                ]
            }
        }

But I keep getting the error AccessDeniedException: User: arn:aws:sts::9876543210:assumed-role/policyname/CognitoIdentityCredentials is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:us-east-1:123456789123:table/history.

I tried my js http call with * permissions and it works, so pitfall only with this policy.


回答1:


${cognito-identity.amazonaws.com:email} is not a valid policy variable. Its not resolving to your users email address.

It is a shame as most developers, like yourself, would find the users email address more intuitive than using cognito-identity.amazonaws.com:sub or cognito-identity.amazonaws.com:aud.




回答2:


In this thread I found that I can use
${cognito-idp.us-east-1.amazonaws.com:sub}
This is not email but in future I can list users with this sub.



来源:https://stackoverflow.com/questions/48261646/dynamodb-fine-grained-access-control-is-it-possible-to-use-cognito-identity-a

标签
amazon-web-services
amazon-dynamodb
amazon-cognito
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!