My app authenticates users through Cognito User Pools, and authorizes S3 request through a Cognito Identity Pool and attributes for access control to ensure users can only access their own files. The policy attached to authenticated users looks like this:
data "aws_iam_policy_document" "authenticated" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = ["cognito-identity.amazonaws.com"]
}
actions = [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession"
]
condition {
test = "StringEquals"
variable = "cognito-identity.amazonaws.com:aud"
values = [aws_cognito_identity_pool.users_dev.id]
}
condition {
test = "ForAnyValue:StringLike"
variable = "cognito-identity.amazonaws.com:amr"
values = ["authenticated"]
}
}
}
resource "aws_iam_role" "authenticated" {
name = "cognito_authenticated"
assume_role_policy = data.aws_iam_policy_document.authenticated.json
}
data "aws_iam_policy_document" "authenticated_role_policy" {
statement {
effect = "Allow"
actions = [
"s3:*",
]
resources = [
"${data.aws_s3_bucket.s3_data_lake_output_bucket.arn}/events/silver_pageviews/team_id=$${aws:PrincipalTag/tenant_id}/*",
]
}
}
This works, and now I'd like to put CloudFront in front of my bucket but I'm unsure what my best option is. I Googled a bit, and it seems I can either use signed cookies/URL's or use a CloudFront authorization@edge lambda.
Is there an option where I'm able to keep using my principal tags (tenant_id
) that are applied to my users's temporary session? Either in an inline policy of a signed cookie/url or by attaching it to a Origin Access Control?
Useful links: