gistfile1.js

/*
S3 Bucket Naming Scheme:
  myBucket/Google/app1/user1
*/

// AWS S3 Policy With Variables
var $policy = '
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::herodotus"],
      "Condition": {"StringLike": {"s3:prefix": ["google/${accounts.google.com:sub/*"]}}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::herodotus/google/${accounts.google.com:sub",
        "arn:aws:s3:::herodotus/google/${accounts.google.com:sub}/*"
      ]
    }
  ]
}'

// for login with google
var params = {
  RoleArn: 'STRING_VALUE', /* required */
  RoleSessionName: 'STRING_VALUE', /* required */
  WebIdentityToken: 'STRING_VALUE', /* required */
  DurationSeconds: 3600,
  Policy: $policy,
  ProviderId: 'accounts.google.com'
};

$data = sts.assumeRoleWithWebIdentity(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});