2 Answers
- Newest
- Most votes
- Most comments
1
@jai,
If you have an attribute custom:abc
and it's a part of the identity token, you can reference its value via principal.custom.abc
in policies. Please let me know if you have any additional questions!
answered 6 months ago
0
Take a look at the Cognito JWT Deep Dive workshop for an example (you can run this in your own AWS account to see it live).
2a: Token Generation shows custom attributes, and 5a: Amazon Verified Permissions dives deeper into Amazon Verified Permissions integration
The custom:user_id
and custom:tenant_id
attributes are used in the policy below
permit (
principal,
action == JWTWorkshop::Action::"readObjects",
resource in JWTWorkshop::S3Bucket::"${BUCKET_NAME}"
)
when { principal.token_use == "id" }
when { resource.tags.tenant == principal.custom.tenant_id }
when
{
if
resource.tags has owner
then
resource.tags.owner == principal.custom.user_id
else
true
};
Since strict validation with a schema was enabled, the CognitoUser
used for the principal in the entityTypes
includes custom
as a Record with tenant_id
and user_id
attributes.
"CognitoUser": { "memberOfTypes": ["CognitoUserPool"], "shape": { "type": "Record", "attributes": { "token_use": { "type": "String" }, "jti": { "type": "String" }, "custom": { "type": "Record", "attributes": { "tenant_id": { "type": "String" }, "user_id": { "type": "String" }, "tenant_admin": { "type": "String" } } } } } }
answered 6 months ago
Relevant content
- Accepted Answerasked 7 months ago
- asked 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
this error is getting while creating policy, An error occurred Error: Validation error on policy PkFszRqv4vLWWXUqVPe9VG at offset 98-132: Attribute not found in record or entity custom
updated answer to reference schema, which is likely the source of the validation error
yeah its fine.the problem was t he structure of custom attributes in schema building. can we implement cognito groups for authorization purposes in verified permissions