I have an app built via AWS Amplify that uses Cognito to control my user base. I have created a custom attribute "myAttr" that I am using as a PoC.
I am now trying to add permissions to a DynamoDB table using the value of my custom attribute. Basically if the leading key of the table matches the user's value in "myAttr" they should have access.
From what I understand, especially after reading this post the way to do this is by using the principal tag. By going into my identity pool, navigating to the Attributes for Access Control tab, and adding a mapping after selecting Use custom mappings for "myAttr" - "custom:myAttr", I should then be able to restrict access to my table using the below permission policy snippet
"Condition": {
ForAllValues:StringEquals": {
dynamodb:LeadingKeys": [
${aws:PrincipalTag/user_id}"
]
}
}
I am applying the above condition to a role that is assigned to a lambda that I am calling from within my app.
My problem is that when I set up the mapping in the "Attributes for Access Control", I get the error InvalidIdentityPoolConfigurationException: Invalid identity pool configuration. Check assigned IAM roles for this pool. This also happnes if I just select the "Use Default Mappings" option instead of "Use custom mappings"! If I remove this feature and change it to inactive, my app is back to working again and no error is thrown.
Does anyone know what could be causing this issue?
EDIT: I have managed to clear the error by adding the "sts:TagSession" element in the Action tag of the Trusted relationships statement. However now I am not able to authenticate with conditions using my principal tag. As soon as I add a condition I get "no identity-based policy allows the dynamodb:PutItem action"
Below is the condition I have added. I am trying to just get anything going through, so I have updated the mapping in the Attributes for access control table to be the default (capturing sub and aud into username and client respectively). I am then trying the below condition, which I would expect to pass regardless of what value is in the tag but is instead still failing
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalTag/username": "*"
}
}
Can anyone help?
AWS OFFICIALUpdated 2 years ago
I'd just like to re-iterate as per my original question, it is not specific to custom attributes - if I select "use default mappings" at which point AWS only adds "sub" and "aud" the same issue occurs. I'm not sure if that helps shine any more light onto the issue Edit: also to stress, this ONLY occurs if I add anything to the Attributes for Access Control mapping. Setting it back to inactive doesn't throw the error anymore. I have also ensured my permission policy has both the Set and GetPrincipalTagAttributeMap permission. The identity pool in the trust relationships subtab is also correct.
If I had to hazard a guess I would have assumed it is something to do with permissions for principal tags, as if I update the mapping to get the value of a placeholder tag value that does not exist, I do not actually get the error. To me the issue is clearly with permissions when trying to access attributes for the mapping itself, however aside from the two permissions I have mentioned above I cannot see anything else that would be relevant!
Confirm that the role associated with your Lambda function has the necessary permissions for both Set and GetPrincipalTagAttributeMap. Also, revisit the trust relationships for your identity pool. Make sure the trust relationship specifies the correct role and allows the necessary actions. If not done already, enable detailed logging so we can see deeply.
Thanks for that Giovanni, I have been able to resolve the error at least, I have updated the post to include details. I am still not able to use the principal tags for conditions however (details also in edit).
Can you please advise how detailed logging is enabled, and for what feature it needs to be enabled? Is there also a way to enable logging for the principal tags, so I can see what values (if any) are coming through from the mapping to the user pool attributes?