3

i am working with Amazon cognito and S3. I want to achieve that each user will have "own" directory in S3 (tutorial example). So i have setup following policy (following this example https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::sg-cognito-s3-bucket-test"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "users"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::sg-cognito-s3-bucket-test/users/${cognito-identity.amazonaws.com:sub}",
                "arn:aws:s3:::sg-cognito-s3-bucket-test/users/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
}

Problem is that i got ACCESS DENIED for list and uploading.

But when i update second rule like this :

"Resource": [
                    "arn:aws:s3:::sg-cognito-s3-bucket-test/users",
                    "arn:aws:s3:::sg-cognito-s3-bucket-test/users/*"
                ]

I can upload file.

How i am doing list and uploading ? 

s3.listObjects({
    Bucket: AppComponent.S3_BUCKET
  }, function(err, data){
  });
s3.putObject({
    Bucket: AppComponent.S3_BUCKET,
    Key: 'users/' + sub + '/' + 'test.txt',
    Body: 'hello, i am: ' + sub
  },function (error, resp) {    
  });

Thank you very much !

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Mato.Duris
  • 253
  • 1
  • 4
  • 15
  • Couple of questions. How are you creating your credentials provider for s3? How are you setting sub, is it the cognito identity id? – perpil Oct 06 '17 at 00:15
  • I have used this https://github.com/aws/amazon-cognito-identity-js - user is redirected to amazon hosted login page and than back (i have tried also "silent" login without redirect). Sub i am not setting in any way - ehm, should i ? Thanks – Mato.Duris Oct 06 '17 at 20:18
  • you must get the sub in order to create the object key (the sub variable on your code). How are you getting this value? Can you paste the line of code? – Daniel Ribeiro Dec 22 '17 at 21:24

0 Answers0