IAM Role of DynamoDB and Congnito with Facebook

Question

I am using cognito with facebook login in Unity. I want to use dynamodb with cognito credentials. Unauthenticated credential is good to go but authenticated credential shows an error

DynamoDB GetItem Error : User: arn:aws:sts::XXXXXXXXXXX:assumed-role/"my identity pool"/CognitoIdentityCredentials is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:ap-northeast-1:XXXXXXXXXX:table/"table name"

I placed Action "dynamodb:GetItem" in IAM Role, the problem is Condition of IAM Role. If I deleted Condition in IAM Role, it works. But I want to add condition for security. Here is my Condition of IAM Role

"Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito-identity.amazonaws.com:sub}"
                ]
            }
        }

Please Tell me what to do Thanks..

Is the partition key in question your identity id? That condition is saying that they can only access rows where the partition key is equal to that identity id (see http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html) — Jeff Bailey, Dec 01 '16 at 20:24
Thanks, I deleted Condition for authentication credential to access dynamodb... — Jade Lee, Dec 02 '16 at 06:01

IAM Role of DynamoDB and Congnito with Facebook

0 Answers0