0

Goals:

  • Limit uploads to specific set of subdirectories which helps the backend identify the reason for the upload: /avatar/..., /cover/...
  • Have a way to identify the upload's cognito user
  • Prevent other users overriding content in this user's subfolder

With that in mind, I can't figure out how to limit the user ability to upload only to subfolder with name derived from user's cognito sub identifier. Or any other string from which I can identify and fetch the user from the cognito pool.

Example: avatar/${aws:cognito-sub}/filename

I found aws:userid in the docs but it refers to:

role id:caller-specified-role-name

where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRoleWithWebIdentity request.

More context: The upload is handled in a lambda. Lambda transforms the image, but then needs to save the transformations in a different s3 and reference them to the user inside dynamodb.

Daniel Birowsky Popeski
  • 8,752
  • 12
  • 60
  • 125
  • If you use Cognito then you can do this (I think). You can mention resources in Cognito roles with cognito sub as parameter. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html – agent420 Nov 22 '17 at 13:50
  • @agent420 the cognito sub parameter in the policy sadly refers to group of users federated identity instead of user sub – Kliment Nov 22 '17 at 14:02

0 Answers0