DEVHIDE
Login Or Sign up

What is [account:caller-specified-name] in aws:userid for aws Federated users

731 Views Asked by At

I would like to ask about 'AWS get Federation Token'.

What I want to do is that someone authorized by using getFederationToken could access ONLY HIS/HER NAMED AWS S3 folder like [bob] or [alice], etc.

Here is what I've done.

Make Temporary Credentials by using getFederationToken for aws:userid

    AWS.config.update({
      accessKeyId: [Removed],
      secreteAccessKey: [Removed],
      region: [Removed]
    });

    var params = {
      Name : 'bob',
      Policy : "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"s3:ListBucket\"],\"Resource\": [\"arn:aws:s3:::mybucket\"]}, {\"Effect\": \"Allow\", \"Action\": [\"s3:PutObject\", \"s3:GetObject\"],\"Resource\": [\"arn:aws:s3:::mybucket/${aws:userid}/*\"]}]}",
      DurationSeconds: "129600"
    }

    var sts = new AWS.STS({apiVersion: '2011-06-15'});

    sts.getFederationToken(params, function(err, data) {
      if(err) 
        console.log(err, err.stack);
      else
        console.log(data);
    });

But I don't know what will be called from ${aws:userid}. AWS User Guide say that [account:caller-specified-name] will be called when the principal is Federated user... However, I checked whether it's [AWS account ID (12-digit number):bob]. It's not..

If you have something to tell me, plz let me know. Thank you.

amazon-web-services amazon-s3 amazon-javascript-sdk
Original Q&A
2

There are 2 best solutions below

0
Lucas On

I've found a solution even not perfect.

[account:caller-specified-name] is working correctly as [123456789012:bob] only with s3 policy, not JS code parameter.

0
Erik On

I was looking for an answer to the same question. With some trial and error, I found the solution:

You can use

"arn:aws:s3:::mybucket/${aws:userid}/*\"

but then the folder name must be mybucket/[accountId]:bob

However, depending on where this code is executed, you might want to NOT use your account id as part of an URL or folder name.

You are passing the entire policy anyway, you could simply change the code above to accept the Name:

const tempAccountName = 'bob'; // passed as parameter I presume?

AWS.config.update({
  accessKeyId: [Removed],
  secreteAccessKey: [Removed],
  region: [Removed]
});

var params = {
  Name : tempAccountName,
  Policy : `{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"s3:ListBucket\"],\"Resource\": [\"arn:aws:s3:::mybucket\"]}, {\"Effect\": \"Allow\", \"Action\": [\"s3:PutObject\", \"s3:GetObject\"],\"Resource\": [\"arn:aws:s3:::mybucket/${tempAccountName}/*\"]}]}`,
  DurationSeconds: "129600"
}

var sts = new AWS.STS({apiVersion: '2011-06-15'});

sts.getFederationToken(params, function(err, data) {
  if(err) 
    console.log(err, err.stack);
  else
    console.log(data);
});

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AMAZON-JAVASCRIPT-SDK

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.