Using nodejs i need to have a function which when called creates a new IAM user and and gives them access to the specific s3 object that has been created for them, no one else other than them should have access to the object. I have cognito users and need to give them their own IAM user which can then only access their s3 object.
At the moment I keep receiving the error of invalidclienttokenid, but im unsure as to what this token is and how i can set it programatically. Is this the cognito tokenid returned from logging in? if so how does this relate to trying to create new s3 object and IAM user. Any help at all would be greatly appreciated!!
Related
"userIdentity":{
"principalId":"Amazon-customer-ID-of-the-user-who-caused-the-event"
},
How I can convert the principal id, which is available with S3 Event Notification, into the user Name which is responsible for the action?
I couldn't find how to do this either. I ended up sending the sub from user attributes as part of the object key. Then you have access to the sub in the event notification.
It's mind-boggling why the IAM console UI does not show this nor allow for searching.
Have to use the AWS CLI to pull out these info.
aws iam list-users
I am using amplify auth and have a table in documentdb managing user profile information. I want to be able to create a document in dynamodb on signup with the cognitoIdentityId as a field so I can query for it later.
I was hoping I could handle this in a trigger on the cognito pool but I cannot get access to the identity inside my lambda function as it doesn't appear to be on the event.
Is it possible to get access to the id so I can create my document on the trigger or is there a better way to achieve this?
I have an S3 bucket which is by default private.
Now I want to implement access control on the objects of this bucket.
For example, if bucket has three objects A, B, C then object A, B could be public and object C could be private.
It should be possible to make the public object private and vice-versa from the application. The private objects will be accessible by selected application users only and public objects will be accessible by everyone.
Is there any way to implement it?
So far I have looked into object tagging. But I am not entirely sure if it applies in my situation.
You are correct that objects in Amazon S3 are private by default.
You can then grant access via several methods:
Set the Access Control List (ACL) on an individual object to make it Public (or set it back to being Private)
Create a Bucket Policy to grant access to a whole bucket, or a path within a bucket
Add a policy to an IAM User to allow that user access to all/part of an Amazon S3 bucket
Create Pre-signed URLs to grant time-limited access to a private object
So, you can certainly make specific objects Public and then change them to Private by using ACLs.
To make particular objects accessible to particular users, you should use Pre-Signed URLs. They work as follows:
Users authenticate to your application
When a user wishes to access a private object, the application is responsible for determining whether they are permitted to access it
If so, then the application generates a pre-signed URL. It only takes a few lines of code and does not require an API call to S3.
The application then provides the pre-signed URL just like any other link, such as putting it in an <a> tag, or in an <img> tag. The object will be accessible for a limited time duration just like any other resource on the Internet.
Once the duration has expired, the URL will no longer work (Access Denied)
This way, your application is totally in control of who can access which objects and authorized users can access the objects directly from Amazon S3. Also, the application users do not require AWS-specific logins; they would authenticate to your application.
See: Share an Object with Others - Amazon Simple Storage Service
Can you some one guide me how to setup an event notification for object level permission change.Currently notification available for read,write,delete etc..
But I am looking to setup a email trigger if some one changed access permission in an s3 object inside a bucket.
There are two ways to deal with this kind of concern:
Proactive: write IAM policies that prevent users from putting object
with public access
Reactive: use CloudWatch Events to detect issues and respond to them (see blog post)
I am testing S3 calls using DHC REST client in Chrome. In these tests, the Authorization is all based on my root user credentials.
I can do a GET with //mybucket.s3.amazonws.com, and a list of the items in mybucket is returned.
If I add an item to retrieve (//mybucket.s3.amazonws.com/myitem), I always get 403 Forbidden.
I thought that the root user had automatic access to the objects, but am I wrong about that?
I took screen prints of both tests, which I'll supply if needed.
After some further monkeying around, I found my answer. Yes, the AWS root user can access individual items. But the Authorization header string changes. When you retrieve an object, that object's key participates in the calculation of the auth string. Thus, the same string used to retrieve the bucket list does not work when retrieving an object.