IAM 策略条件中的 cognito 用户池自定义属性与 Dynamodb 细粒度访问 [英] cognito user pool custom attribute in IAM Policy Conditions with Dynamodb Fine grained access

问题描述

我有一个带有自定义属性 organization_id 的 Cognito 用户池.一个组织可能有多个用户.可以有多个组织.另一个 Dynamodb 表用于维护具有 _id 和 organization_id 作为分区键的类别.类别可以归组织所有，因此属于该特定组织的用户只能在这些类别中执行某些操作.

I have one Cognito User Pool with a custom attribute organisation_id. One Organisation may have multiple users. There can be multiple organisations. Another Dynamodb table is used to maintain Categories which has _id and organisation_id as partition key. Categories can be owned by Organisation so that users belong to that particular Organisation perform some operation in those categories only.

现在，我如何创建 IAM 策略，以便它采用 organization_id 而不是 sub/user_id，如此处所述
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html

Now, how can I create the IAM policy so that it takes the organisation_id instead of sub/user_id as it is explained here
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAccessToOnlyItemsMatchingUserID",
        "Effect": "Allow",
        "Action": [
            "dynamodb:GetItem",
            "dynamodb:BatchGetItem",
            "dynamodb:Query",
            "dynamodb:PutItem",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteItem",
            "dynamodb:BatchWriteItem"
        ],
        "Resource": [
            "arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"
        ],
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito:organisation_id(?)}"

                ],
                "dynamodb:Attributes": [
                    "UserId",
                    "GameTitle",
                    "Wins",
                    "Losses",
                    "TopScore",
                    "TopScoreDateTime"
                ]
            },
            "StringEqualsIfExists": {
                "dynamodb:Select": "SPECIFIC_ATTRIBUTES"
            }
        }
    }
]}

所以我的主要要求是通过 cognito 获取 IAM 策略中的自定义用户池属性.这怎么可能?

So my main requirement is to get custom user pool attribute in IAM policy through cognito. How is that possible?

推荐答案

这是不可能的.它需要 IAM 角色能够从任何认知用户池中识别自定义属性.不过，这是一个有趣的功能，将与团队讨论.

This is not possible. It would require IAM roles to be able to identify custom attributes from any cognito user pool. It's an interesting feature though, will discuss it with the team.

但是，作为替代方案，您可以查看 Cognito 身份和角色库访问控制

However, as an alternative you can look at Cognito identities and role base access control

http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

这篇关于IAM 策略条件中的 cognito 用户池自定义属性与 Dynamodb 细粒度访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！