Hi All , A query related to S3 access authorizatio...
# help
c
Hi All , A query related to S3 access authorization. We can use UUID in Identity pool for restricting to own folder. What if in an application, we need users to share S3 objects with each other ? Like the object is in my folder . But I have shared this object with another user. So when the other users logs in , he should be able to access the object. How do we write the IAM role in this case ?
s
Two ways to go about this, depending on the type of policy you use. Assuming your user is going to share access to a single item, you could add a resource policy to the item, in the S3 bucket. The resource policy would allow someone with the specific cognito Id to read that item. This is not as invasive as modifying the assumed policy of a federated identity. The alternative approach is to change the role of the user you give access (share with). This is modifying the assumed role of that federated identity. You would have a condition that they can access theirs, and another users specific s3:prefix. I think this way becomes very complex, very quickly. So with the first option you could have a share API call, that says, if the user who invoked this API endpoint is the owner of this item, then allow them to set that items resource policy, to also allow reads from a cognito identity with a specific uuid. You can make use of conditions for the resource policy I believe: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String
A third, perhaps simplest option looks like using tags, on the S3 object itself. Then allowing all users to read/write to their subfolder, and another policy for read only all S3 objects that are tagged with their cognito Id. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
c
Thank you Simon. Tag looks the simplest one. I would implement it .Though only limited to 10 tags ..so if the user shares beyond 10 users, that wont work . Regarding the first option of resource policy , you mean modifying the ACL for the object ?
s
Re the first option yes, that's what I mean. It looks like resource policy can only apply at the bucket level