问题
I have one Cognito User Pool with a custom attribute organisation_id. One Organisation may have multiple users. There can be multiple organisations. Another Dynamodb table is used to maintain Categories which has _id and organisation_id as partition key. Categories can be owned by Organisation so that users belong to that particular Organisation perform some operation in those categories only.
Now, how can I create the IAM policy so that it takes the organisation_id instead of sub/user_id as it is explained here
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToOnlyItemsMatchingUserID",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito:organisation_id(?)}"
],
"dynamodb:Attributes": [
"UserId",
"GameTitle",
"Wins",
"Losses",
"TopScore",
"TopScoreDateTime"
]
},
"StringEqualsIfExists": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
]}
So my main requirement is to get custom user pool attribute in IAM policy through cognito. How is that possible?
回答1:
This is not possible. It would require IAM roles to be able to identify custom attributes from any cognito user pool. It's an interesting feature though, will discuss it with the team.
However, as an alternative you can look at Cognito identities and role base access control
http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
来源:https://stackoverflow.com/questions/43515393/cognito-user-pool-custom-attribute-in-iam-policy-conditions-with-dynamodb-fine-g