I'm trying a setup where Cognito users are granted access only to personal folder inside a common bucket.Everything works as long as I use "aws:userid" as folder name, i.e.
s3://mybucket/${IDENTITY_ID}
The problem is that userid is a very long string of charachters, and it makes it difficult to quickly find a user as an admin in the UI.I'd like to grant the same access but using username as parameter, however my attempts fail with Access Denied error.
This is the working bucket policy
{"Version": "2012-10-17","Statement": [ {"Effect": "Allow","Principal": "*","Action": ["s3:GetObject","s3:PutObject" ],"Resource": "arn:aws:s3:::mybucket/${aws:userid}/*","Condition": {"StringEquals": {"aws:userid": "${aws:userid}" } } } ]}and working cognito role
{"Version": "2012-10-17","Statement": [ {"Effect": "Allow","Action": ["s3:ListBucket" ],"Resource": "arn:aws:s3:::mybucket","Condition": {"StringLike": {"s3:prefix": ["${cognito-identity.amazonaws.com:sub}/*" ] } } }, {"Effect": "Allow","Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject" ],"Resource": "arn:aws:s3:::mybucket/${cognito-identity.amazonaws.com:sub}/*" } ]}I tried replacing "aws:userid" with "aws:username" so the code becomes
{"Version": "2012-10-17","Statement": [ {"Effect": "Allow","Principal": "*","Action": ["s3:GetObject","s3:PutObject" ],"Resource": "arn:aws:s3:::mybucket/${aws:username}/*","Condition": {"StringEquals": {"aws:username": "${aws:username}" } } } ]}and
{"Version": "2012-10-17","Statement": [ {"Effect": "Allow","Action": ["s3:ListBucket" ],"Resource": "arn:aws:s3:::mybucket","Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*" ] } } }, {"Effect": "Allow","Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject" ],"Resource": "arn:aws:s3:::mybucket/${aws:username}/*" } ]}However if I try to upload/download tos3://mybucket/testuser/it results in
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
IS username something that can actually be used in policies?