0

With the recent release of API Gateway Cognito Custom Authorizers, I'm attempting to use Cognito, API Gateway and S3 together for authenticated access control without Lambdas.

Authorizing with API Gateway works as it should (with Trust Relationships for the API Gateway execution role set correctly) but I can't seem to get the resource policy to capture the Cognito User ID Sub variable for fine grain access control to S3 resources based on User ID.

Here's the current flow I'm trying to accomplish:

  1. Authenticate with Cognito and get valid token
  2. Send token to API Gateway to gain access to S3 bucket (through AWS Service integration type)
  3. Fine grain access to only User ID's directory
  4. Return S3 object (based on API endpoint)

Here's my current resource policy for the API Gateway execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cognito-idp:*",
                "cognito-sync:*",
                "cognito-identity:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
}

Everything works as it should but this IAM variable (in the policy attached to the API Gateway execution role) doesn't seem to be right.

I came across this StackOverflow article and tried using both formats us-east-1:xxxx-xxxx-xxxx-xxxx and xxxx-xxxx-xxxx-xxxx but both didn't seem to work. I'm using the sub attribute found in the Cognito User Pool User info. If I hard code the folder in S3 to the Cognito User ID Sub it works just fine.

How do I get the Cognito variable to work in the API Gateway's execution role policy?

Here are a couple other articles I found related to the question on the AWS forums:

Cognito IAM variables not working for assumed-role policies

What cognito information can we use as IAM Variables?

Chris Diana
  • 15
  • 7

1 Answers1

0

That's not the sub that the variable expects. There is no way to use cognito user pool attributes in policy. The sub that you want is the cognito identity id which is the id of the user in the cognito Identity (federated identity pool). You can get this ID by using the get id method. I would suggest you store this ID as a custom attribute variable in your cognito user pool so you don't have to keep making the call. You can read more about this identity id here.

Ninad Gaikwad
  • 4,272
  • 2
  • 13
  • 23
  • Thanks for the quick reply @Ninad! That's unfortunate that you can't access user pool attributes in policy. That could save a ton of extra infrastructure. So am I understanding correctly that you cannot access Cognito sub ID without using federated identities? Looks like I'd have to use the `getId` method after authenticating and validating the token I'm assuming. – Chris Diana Feb 24 '19 at 15:13
  • 1
    Yes you'll get the sub ID after authentication. But it doesn't change so you can save that id to your cognito user table as a custom field so next time you can fetch it without getId – Ninad Gaikwad Feb 24 '19 at 15:29