Using attributes for access control with Amazon Cognito identity pools
Before you can use attributes for access control, ensure that you meet the following prerequisites:
To use attributes for access control, the Claim that you set
as the source of data sets the value of the Tag Key that you
choose. Amazon Cognito applies the tag key and value to your user's session. Your IAM
policies can evaluate your user's access from the
${aws:PrincipalTag/
condition. IAM evaluates the value of your user's tag against the policy.tagkey
}
You must prepare IAM roles whose credentials you want to pass to your users. The
trust policy of these roles must permit Amazon Cognito to assume the role for your user. For
attributes for access control, you must also allow Amazon Cognito to apply principal tags to your
user's temporary session. Grant permission to assume the role with the action AssumeRoleWithWebIdentity. Grant permission to tag users' sessions with the
permission-only action
sts:TagSession
. For more information, see Passing session
tags in AWS Security Token Service in the AWS Identity and Access Management User
Guide. For an example trust policy that grants
sts:AssumeRoleWithWebIdentity
and sts:TagSession
permissions to the Amazon Cognito service principal cognito-identity.amazonaws.com
,
see Using attributes
for access control policy example.
To configure attributes for access control in the console
-
Sign in to the Amazon Cognito console
and select Identity pools. Select an identity pool. -
Choose the User access tab.
-
Locate Identity providers. Choose the identity provider that you want to edit. If you want to add a new IdP, select Add identity provider.
-
To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, choose Edit in Attributes for access control.
-
To apply no principal tags, choose Inactive.
-
To apply principal tags based on
sub
andaud
claims, choose Use default mappings. -
To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.
-
-
Select Save changes.