AWS S3 Transfer Manager ${cognito-identity.amazonaws.com:sub} Policy Variable Access Denied.

Question

I was trying to download a file from S3 to my mobile app, using Transfer Manager. I'm getting this:

<?xml version="1.0" encoding="UTF-8"?>

<Error><Code>AccessDenied</Code>

   <Message>Access Denied</Message>    

   <RequestId>E1F205B58EF4A670</RequestId>

   <HostId>dUWI8PfVZL3mJmykjhXRqvFd1yt/CqDFNlwgwD3kmLk2vrMBP6JvVgezMYSROt3KyE3dx0+3eDE=</HostId>

</Error>

And this is my IAM policy:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "GetBucketListIfRequestIsForUser",

            "Action": [

                "s3:ListBucket"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::sidestreamx"

            ],

            "Condition": {

                "StringLike": {

                    "s3:prefix": [

                        "${cognito-identity.amazonaws.com:sub}/*"

                    ]

                }

            }

        },

        {

            "Sid": "S3GetObjects",

            "Action": [

                "s3:GetObject",

                "s3:PutObject"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::sidestreamx/${cognito-identity.amazonaws.com:sub}/*"

            ]

        }

    ]

} 

Any solution for this? 

Answer 1

Here sub refers to the IdentityID from credentialsProvider, so ${cognito-identity.amazonaws.com:sub} doesn't refer to the sub in the JWT token.

Here I created a folder in the S3 bucket with the name same as task.result! and used that in my code below,

(AWSServiceManager.default().defaultServiceConfiguration.credentialsProvider

        as! AWSCognitoCredentialsProvider).getIdentityId()

        .continue({task -> Any? in

        print("Credentials ID is \(task.result!)")

        return nil

    })

Are you interested to learn AWS, then checkout: AWS Certification