是否可以基于Cognito ID指定AWS DynamoDB策略？ [英] Can I specify an AWS DynamoDB policy based on Cognito ID?

问题描述

我可以将策略应用于AWS DynamoDB表，但根据访问它的用户的Cognito ID对其进行限制吗？

Can I apply a policy to an AWS DynamoDB table but restrict it based on the Cognito ID of the user accessing it?

例如。客户表的主哈希键等于Cognito ID。当除拥有相同ID的用户以外的任何人尝试获取该物品时，他们将收到未经授权的例外。

E.g. A Customer table has a primary hash key equal to the Cognito ID. When anyone but the user sharing the same ID tries to get the item they will receive an unauthorised exception.

（非DynanoDB策略也可能有效。）

(Non DynanoDB policies are probably also valid.)

推荐答案

您应该能够使用与使用ID提供程序。您应使用Cognito标识符作为政策：

You should be able to do something like this using the same techniques as those for using an ID Provider. You should use the Cognito identifier as the key in the policy:

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [
        "dynamodb:DeleteItem",
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Query"
      ],
      "Resource": ["arn:aws:dynamodb:REGION:123456789012:table/UserData"],
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"]}
    }
  }]
}

这篇关于是否可以基于Cognito ID指定AWS DynamoDB策略？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！