amplify-js
amplify-js copied to clipboard
Published
20 hours ago •
aws-amplify
aws-amplify
Item-level access for DynamoDB based on PK and cognito user pool username
Is this related to another service?
DynamoDB, Amplify, API Gateway, Cognito
Describe the feature you'd like to request
Objective Create a Policy to provide item-level access to the dynamodb using PrincipalTag and User Pool username. Users can access data only if the PK of dynamodb contains the User’s username.
Services
Amplify, Cognito user-identity pool, API Gateway, DynamoDB, Lambda
Describe the solution you'd like
- Add default mapping in the Identity pool. This will map the user pool attribute to the PrincipalTag which we can use in the Policy condition.
- Create a
trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": [
"sts:TagSession",
"sts:AssumeRoleWithWebIdentity"
]
}
]
}
- Create an item-based
policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:Get*",
"dynamodb:BatchGetItem",
"dynamodb:List*",
"dynamodb:Describe*",
"dynamodb:Scan",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:us-east-x:xxxxxxxxxx:table/customers-dev",
"arn:aws:dynamodb:us-east-x:xxxxxxxxxx:table/customers-dev/index/*"
],
"Effect": "Allow",
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": "*${PrincipalTag/username}*"
}
}
}
]
}
Describe alternatives you've considered
Need to be able to add a policy that will allow items in dyamodb based on Cognito user pool username
Additional context
Error: ClientError: An error occurred (AccessDeniedException) when calling the Query operation ... is not authorized to perform: dynamodb:Query on resource .... because no identity-based policy allows the dynamodb:Query action
