具有Dynamodb细粒度访问的IAM策略条件中的cognito用户池自定义属性 [英] cognito user pool custom attribute in IAM Policy Conditions with Dynamodb Fine grained access

问题描述

我有一个具有自定义属性Organisation_id的Cognito用户池.一个组织可以有多个用户.可以有多个组织.另一个Dynamodb表用于维护类别，该类别具有_id和Organisation_id作为分区键.类别可以归组织所有，以便属于该特定组织的用户只能在这些类别中执行某些操作.

I have one Cognito User Pool with a custom attribute organisation_id. One Organisation may have multiple users. There can be multiple organisations. Another Dynamodb table is used to maintain Categories which has _id and organisation_id as partition key. Categories can be owned by Organisation so that users belong to that particular Organisation perform some operation in those categories only.

现在，我该如何创建IAM策略，以使其采用organization_id，而不是此处说明的sub/user_id
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html

Now, how can I create the IAM policy so that it takes the organisation_id instead of sub/user_id as it is explained here
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAccessToOnlyItemsMatchingUserID",
        "Effect": "Allow",
        "Action": [
            "dynamodb:GetItem",
            "dynamodb:BatchGetItem",
            "dynamodb:Query",
            "dynamodb:PutItem",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteItem",
            "dynamodb:BatchWriteItem"
        ],
        "Resource": [
            "arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"
        ],
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito:organisation_id(?)}"

                ],
                "dynamodb:Attributes": [
                    "UserId",
                    "GameTitle",
                    "Wins",
                    "Losses",
                    "TopScore",
                    "TopScoreDateTime"
                ]
            },
            "StringEqualsIfExists": {
                "dynamodb:Select": "SPECIFIC_ATTRIBUTES"
            }
        }
    }
]}

因此，我的主要要求是通过cognito在IAM策略中获取自定义用户池属性.那怎么可能?

So my main requirement is to get custom user pool attribute in IAM policy through cognito. How is that possible?

推荐答案

这是不可能的.它将需要IAM角色才能从任何Cognito用户池中识别自定义属性.不过，这是一个有趣的功能，将与团队讨论.

This is not possible. It would require IAM roles to be able to identify custom attributes from any cognito user pool. It's an interesting feature though, will discuss it with the team.

但是，作为替代方案，您可以查看Cognito身份和角色库访问控制

However, as an alternative you can look at Cognito identities and role base access control

http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

这篇关于具有Dynamodb细粒度访问的IAM策略条件中的cognito用户池自定义属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！