我可以在 S3 存储桶策略中使用 Cognito 用户池组吗? [英] Can I use the Cognito User Pool Group in S3 Bucket policies?
问题描述
所以我只阅读了一半的互联网,我认为我对所有可能的东西都有很好的把握.不过对于我的用例,我仍然有一个问题.
So I just read half the internet and I think I have a pretty good grab on everything that is possible. I still have one issue though for my use-case.
我的要求:我有在 Cognito 中管理的用户,这些用户所在的组目前仅在我的应用程序中管理.我只想向群组成员提供对 S3 存储桶的访问权限.
My requirements: I have users that are managed in Cognito, those users are in groups that are currently only managed in my application. I want to provide access to a S3 bucket only to members of the group.
据我所知,我可以做的是在 Cognito 中管理这些组,向该组添加一个 IAM 角色,然后设置一个设置权限的存储桶策略.
From what I understand what I could do is to manage these Groups also in Cognito, add a IAM Role to that Group and then have a bucket policy that set's the permission.
根据本文档,我可以使用${cognito-identity.amazonaws.com:sub} 以确保给定用户只能访问 S3 中的这个子文件夹".文档很少,但除了 sub 外,显然只有 aud 和 amr 对我来说都没有帮助.
According to this documentation I can use ${cognito-identity.amazonaws.com:sub} to make sure that a given user only has access to this "subfolder" in S3. The docs are sparse, but besides sub there is apparantly only aud and amr which are both not helpful in my case.
网络上有很多关于细粒度权限的内容,但没有关于组级别权限的内容.显然群组是较新的 Cognito 功能,但只能用于分配 IAM 角色,而不能用于分配生态系统中的其他功能?
There is a lot of stuff about fine grained permissions on the Web, but nothing on group level permissions. Apparently groups are a newer Cognito feature but that can only used to assign IAM Roles and nothing else in the eco-system?
推荐答案
显然没有真正的解决方案.我们现在使用混合方法,使用 Cognito 方式允许每个用户写入权限和每个(自定义)组预签名 S3 链接以允许读取访问.这样我们就必须在应用程序中管理读取访问权限,但这至少比手动完成所有操作要容易.
Apparently there is no real solution. We now work with a hybrid approach, using the Cognito way to allow per user write permissions and per (custom) group presigned S3 links to allow read access. This way we have to manage the read access in the application, but that's at least easier than doing it all manually.
这篇关于我可以在 S3 存储桶策略中使用 Cognito 用户池组吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
