DynamoDB fine-grained access control: is it possib

2020-07-22 19:18发布

问题:

My users have Cognito accounts.

According to this article we can restrict access to the DynamoDB API with policy like that:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb: <REGION>:<AWS_ACCOUNT_ID>:table/<TABLE>"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

Looks pretty straightforward for my case when index key is email (and primary sort key is utc), so I adjusted example above to this one:

    {
        "Effect": "Allow",
        "Action": "dynamodb:UpdateItem",
        "Resource": "arn:aws:dynamodb:us-east-1:123456789123:table/history",
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito-identity.amazonaws.com:email}"
                ],
                "dynamodb:Attributes": [
                    "email",
                    "utc",
                    "updated",
                    "isNew"
                ]
            }
        }

But I keep getting the error AccessDeniedException: User: arn:aws:sts::9876543210:assumed-role/policyname/CognitoIdentityCredentials is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:us-east-1:123456789123:table/history.

I tried my js http call with * permissions and it works, so pitfall only with this policy.

回答1:

${cognito-identity.amazonaws.com:email} is not a valid policy variable. Its not resolving to your users email address.

It is a shame as most developers, like yourself, would find the users email address more intuitive than using cognito-identity.amazonaws.com:sub or cognito-identity.amazonaws.com:aud.

回答2:

In this thread I found that I can use
${cognito-idp.us-east-1.amazonaws.com:sub}
This is not email but in future I can list users with this sub.