1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

S3に、Cognitoの認証ユーザ別のフォルダを用意し、アクセス制限をかける方法

Last updated at Posted at 2023-03-17

設定

IDプールがクライアントに渡すロールのポリシー設定を下記のようにすると、"IDプールが発行するID名のフォルダ" 配下にしかアクセスできなくなる。

※フォルダという表現は正確ではないけど、良い言い方がないので・・

CognitoのIDプールが渡すロールのポリシー設定

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::backetname/${cognito-identity.amazonaws.com:sub}/*"
        }
    ]
}

クライアント側でのID取得方法(Amplify想定)


const currentCredentials = await Auth.currentCredentials();
const identityId = currentCredentials.identityId;

// 取得されるIDは下記の形式(リージョン以降は、ユーザプールの sub 属性の値)
// ap-northeast-1:12345678-abcd-1234-abcd-12345678abcd

結果

↓のパスにしかアクセスできない。
bucketname/ap-northeast-1:12345678-abcd-1234-abcd-12345678abcd/

アクセスできる例:
bucketname/ap-northeast-1:12345678-abcd-1234-abcd-12345678abcd/aaaa.txt
bucketname/ap-northeast-1:12345678-abcd-1234-abcd-12345678abcd/bbbb.txt

アクセスできない例:
bucketname/ap-northeast-1:98765432-zzzz-zzzz-zzzz-12345678abcd/aaaa.txt

参考

1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?