We are writing an image sharing app using Cognito for identity management and S3 for object storage. When a user uploads an image, they can set the image permission to private, public or friend, where friend is a set of the app users.
Setting the access control on an S3 object seems clear when it’s simply private or public (e.g. using Canned ACLs). However, it is unclear how we can make an object be accessible to only a group of Cognito identities.
We have looked at tags, meta data and bucket policies. Tags and bucket policies are only bucket level and we want them object-level. Meta data can be set for individual objects, however I don’t think we can set a meta data as a condition inside a Cognito Role. Is there a way we can do this?
It seems the crux of the problem is that there is no way we can create sub groups of cognito identities and assign these groups access to a resource.
Any help would be greatly appreciated.
tl;dr How can we make an S3 object be accessible to only a group of cognito identities?
Unfortunately, Cognito does not have a way to allow access to an arbitrary, fluid group of ids. The only way that a group of ids can be given access, as of now, is what was described in this blog, which requires the ids to be hardcoded into the role:
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:12345678-dead-beef-cafe-123456790ab",
"cognito-identity.amazonaws.com:sub": [
"us-east-1:12345678-1234-1234-1234-123456790ab",
"us-east-1:98765432-1234-1234-1243-123456790ab"
] }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With