Home > database >  Not able to give a Cognito User access on a certain S3 bucket
Not able to give a Cognito User access on a certain S3 bucket

Time:01-25

I have a user pool and an Identity pool, where the role i am giving the authenticating users in the identity pool has the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketPolicy",
                "s3:CreateBucket"
            ],
            "Resource": [
                "arn:aws:s3:::testbucket123",
                "arn:aws:s3:::testbucket456",
                "arn:aws:s3:::testbucket987"
            ]
        }
    ]
}

I have created a new role called Role_testbucket456_User_X using Web Identity and added a condition where cognito-identity.amazonaws.com:sub is stringEquals to 8e23d688-1f28-445c-8966-fdcb967c8e3c, and attach to it the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::testbucket456"
        }
    ]
}

Then I have added the Cognito user Y that has the sub 8e23d688-1f28-445c-8966-fdcb967c8e3c to a Cognito User Pool Group called testbucket456_Users

And then attached the role Role_testbucket456_User_X to this group testbucket456_Users

What I am expecting is that none of the Cognito users will have Read/Write access on any S3 bucket, except the user Y that has sub 8e23d688-1f28-445c-8966-fdcb967c8e3c to be able to access Read/Write on testbucket456 bucket. But that didn't work unfortunately.

So I have added the following Bucket Policy to the testbucket456 bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCognitoUserAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::testbucket456/*"
        },
        {
            "Sid": "AllowCognitoUserAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::testbucket456"
        }
    ]
}

But that still didn't work, I am still getting Access Denied issue whenever I try to call this method:

const listObjectParams = {
  Bucket: 'testbucket456',
};
s3.listObjects(listObjectParams, (err: any, data: any) => {
  if (err) {
    console.log(err);
    return;
  }
  console.log(data);
  console.log(`Successfully listed objects in `);
});

Note

When I set the testbucket456 bucket's policy to

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCognitoUserAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::testbucket456/*"
        },
        {
            "Sid": "AllowCognitoUserAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::testbucket456"
        }
    ]
}

I am then able to access(list objects) the bucket using the Cognito users, I think the issue is with the bucket's policy itself and in the Principal field specifically.


Possible issues

  • Maybe the authenticated role must have permissions to assume the custom role
{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}

to be like the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket"
            ],
            "Resource": [
                "arn:aws:s3:::testbucket456"
            ]
        },
        {
           "Effect": "Allow",
           "Action": "sts:AssumeRole",
           "Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
        }
    ]
}

Can anybody confirm please?

CodePudding user response:

This answer was the solution, I had to change the default role given to the Cognito Users

  • Related