search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.4k stars 2.11k forks source link

Item-level access for DynamoDB based on PK and cognito user pool username #10800

Open ermrg opened 1 year ago

ermrg commented 1 year ago

Is this related to another service?

DynamoDB, Amplify, API Gateway, Cognito

Describe the feature you'd like to request

Objective Create a Policy to provide item-level access to the dynamodb using PrincipalTag and User Pool username. Users can access data only if the PK of dynamodb contains the User’s username.

Services Amplify, Cognito user-identity pool, API Gateway, DynamoDB, Lambda

Describe the solution you'd like

  1. Add default mapping in the Identity pool. This will map the user pool attribute to the PrincipalTag which we can use in the Policy condition.

Screenshot from 2022-12-21 10-54-28

  1. Create a trust policy 
    {
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    },
    {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Federated": "cognito-identity.amazonaws.com"
        },
        "Action": [
            "sts:TagSession",
            "sts:AssumeRoleWithWebIdentity"
        ]
    }
]
}
  2. Create an item-based policy
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:Get*",
                "dynamodb:BatchGetItem",
                "dynamodb:List*",
                "dynamodb:Describe*",
                "dynamodb:Scan",
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-x:xxxxxxxxxx:table/customers-dev",
                "arn:aws:dynamodb:us-east-x:xxxxxxxxxx:table/customers-dev/index/*"
            ],
            "Effect": "Allow",
            "Condition": {
                "ForAllValues:StringLike": {
                    "dynamodb:LeadingKeys": "*${PrincipalTag/username}*"
                }
            }
        }
    ]
}

Describe alternatives you've considered

Need to be able to add a policy that will allow items in dyamodb based on Cognito user pool username

Additional context

Error: ClientError: An error occurred (AccessDeniedException) when calling the Query operation ... is not authorized to perform: dynamodb:Query on resource .... because no identity-based policy allows the dynamodb:Query action

anacierdem commented 1 year ago

I was unable to achieve the same thing. Tried both AWS_IAM and AMAZON_COGNITO_USER_POOLS authentication but for some reason the PrincipalTag is not effective.

brabim-niural commented 1 year ago

I am facing the same. Any update on this issue?

haverchuck commented 1 week ago

Marked as a feature request.