I am developing a serverless app on AWS with the javascript API in angular 4, I have a bucket mi-bucket in S3 with one folder per client ( mi-bucket/cliente1 , mi-bucket/cliente2 ).
I have created a userPool cargaArchivosPool in amazon Cognito with email and password as necessary attributes and a custom attribute nombre_carpeta . The users created them through the Cognito console in AWS and the attribute nombre_carpeta was added by the AWS-cli.
I also created an IdentityPool with the roles AuthRole and NoAuthRole . The role AuthRole I assigned a policy in the following way:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mi-bucket"
]
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mi-bucket/*"
]
}
]
}
and there to each user I associate a group with a policy with permission to read and edit on a single folder inside the bucket in the following way:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mi-bucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"cliente1/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mi-bucket/cliente1/*"
]
}
]
}
And so also for each client. When I connect with a client I can do read and write operations on the whole bucket, but the permissions specific to each client do not apply, that is, if from the browser I change the name of the custom attribute nombre_carpeta for the cliente1 write to folders to which you do not have permissions according to the group policy in the userPool. How can I control that each user only has permissions on a particular folder?
I appreciate your help