We need to setup an S3 bucket so we can use AWS JS SDK to upload files from a web application only for logged in users.
We already have a Cognito user pool, e.g., self-managed, and/or tied to a corporate SSO or social networks. Users may have different permissions depending on custom groups they are on. There is an app client, which is used to authenticate users in our web app.
Create an identity pool in Cognito. Its "authentication provider" should be "Cognito" with the user pool (Pool ID) we already have using the same "App client id" as the one we use to authenticate our users the web application.
"Authentication role selection": "Chose role from token" and "Role resolution" is "DENY".
We need to create roles with necessary S3 (and possibly other) permissions and assign them to groups. Those roles should have
trust relationships described in role-trust.json
. The important part is that it should accept the created
identity pool (ARN) as "aud".
In "Permissions":
- "Block public access" ⇒ all off.
- "CORS configuration" ⇒ like in
S3-cors.xml
, just update origins and maybe a list of methods. A list of headers is up to you. - "Bucket Policy" (sic!) ⇒ like in
S3-bucket-policy.json
. It may have different permissions for different roles and unathenticated users. The important part is to use roles (ARNs) we created above as principals.