amplify-backend icon indicating copy to clipboard operation
amplify-backend copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

Allow userPool auth flow in S3 storage

Open anthonyhoegberg opened this issue 1 year ago • 2 comments

Is this related to a new or existing framework?

React

Is this related to a new or existing API?

Authentication, Storage

Is this related to another service?

No response

Describe the feature you'd like to request

So in the amplify docs, when setting up authentication we can do smth like

export const auth = defineAuth({
  loginWith: {
    email: true,
  },
  groups: ["admin"],
});

and to describe our table and allow groups and only own users to access data we can do

export const data = defineData({
    schema, // Ignore schema this for now, 
    //just some tables has own, and group ownership etc
    authorizationModes: {
        defaultAuthorizationMode: 'userPool',
    },
});

So then since we are using userPool flow currently when setting up S3 we can do smth like


export const storage = defineStorage({
  name: 'camiot1data',
  access: (allow) => ({
    'pics/{entity_id}/*': [
        allow.entity("identity").to(['read', 'write', 'delete']),
        allow.groups(["admin"]).to(['read', 'write', 'delete'])
    ],
  })
});

however this current aproach does not align with the applications login flow etc and since this approach forces identity pool we cant have owned resources together with groups etc. Also currently using authenticator or other amazon resources when getting the logged in user we are getting the userpools user id and not identity id so we cant use identity id here.

Describe the solution you'd like

The ideal solution would be to allow the S3 configuration to also use userpool id as is, and therefor be able to do smth like this

export const storage = defineStorage({
  name: 'camiot1data',
  access: (allow) => ({
    'pics/{user_id}/*': [ //{user_id}  just to specify its our own users id
        allow.own().to(['read', 'write', 'delete']),
        allow.groups(["admin"]).to(['read', 'write', 'delete'])
    ],
  })
});

and when accessing data using api etc, we can use the logged in users permisions etc to access resources and non logged in users or other users cant access another users resources. However users with group permissions can access the data as described

Describe alternatives you've considered

None, currently removing security is the fix for me but i dont like that.

Additional context

No response

Is this something that you'd be interested in working on?

  • [ ] 👋 I may be able to implement this feature request
  • [ ] ⚠️ This feature might incur a breaking change

anthonyhoegberg avatar Sep 19 '24 06:09 anthonyhoegberg

Hello, @anthonyhoegberg and thanks for opening this feature request. I'll review this with our team internally, and follow up with any further questions we have or needs additional context. Thanks!

cwomack avatar Sep 19 '24 18:09 cwomack

@anthonyhoegberg Sorry for not getting back on this earlier. This would be a feature request for Amplify backend. However if you are using Amplify JS in your front end, you can construct your path using userSub and pass them along to the storage APIs.

I will re-route this issue to backend team

ashika112 avatar Apr 10 '25 19:04 ashika112