Amplify-cli: Best way to allow multiple users access to S3 on a per-organization or per-group basis

Created on 25 Feb 2020 · 7Comments · Source: aws-amplify/amplify-cli

Note: If your question is regarding the AWS Amplify Console service, please log it in the
official AWS Amplify Console forum

Which Category is your question related to?
Storage and Auth

Amplify CLI Version
4.13.4

What AWS Services are you utilizing?
Cognito, S3

Provide additional details e.g. code snippets
I'm currently building an application with multiple users divided across multiple (and indefinitely many) organizations. Users need to be able to access data related to their organization and none other. I am avoiding Coginto User Groups as they do not seem to be made for indefinetly many groups or organizations.

In my Graphql API this was pretty straight-forward to solve, using dynamic group auth with a custom groupClaim that I populate in a pretoken lambda.

When it comes to S3, however, I haven't quite figured out how to protect resources but allow all users of one organization to access these shared files. I have only found documentation on how to do so with static Cognito User Groups or general public/private/protected access on a per-user basis instead of a per-organization basis.

Any help or ideas?

auth feature-request storage

Source

pafflu

👍2

Most helpful comment

@pafflu @hisham @ricsirigu I had the same need as what you are describing (I believe) and solved it using S3 pre-signed URLs. You can read about my problem and solution here:
https://forums.aws.amazon.com/thread.jspa?threadID=317864

@hisham the @auth directive in the graphql schema is just for auth rules to the GraphQL API and doesn't have anything to do with auth to S3 objects. Remember amplify cli just stubs out CloudFormation templates for you and you can modify them (except for the api category) to fit your needs.

paulsson on 5 Mar 2020

👍2

All 7 comments

@pafflu could you give some more details about your use case of using indefinitely many organizations? Its not clear to me why Cognito User Pools would not be a good choice here - you would still be able to add other groups with the right access levels at any time

nikhname on 26 Feb 2020

@nikhname Thanks for the quick response!
It's a multi-tenant web-app for small enterprises, meaning users will register and belong to one company (and in larger companies sub-divided into different departments). I figured I'd rather manage this multi-tenant situation without User Groups, especially because they reach a hard limit at 500 per user pool as far as I know, and creating an entirely new pool for each company seems like a massive bother, too.

I currently use a pretoken lambda to stick the user's company id into their token that I then use when querying the API, and it works like a charm! It's just that I don't yet understand how to solve the same issue on the Storage side of things.

Any advice you can give me?

pafflu on 26 Feb 2020

👍1

I am facing the same problem.

ricsirigu on 27 Feb 2020

+1. Relevant comment about this that I posted in June in the @auth RFC: https://github.com/aws-amplify/amplify-cli/issues/1043#issuecomment-501462433

hisham on 27 Feb 2020

paulsson on 5 Mar 2020

👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 9 May 2020

The current built in way of accomplishing this is to leverage User Pool Groups which will set appropriate IAM policy for your bucket locations: https://docs.amplify.aws/cli/auth/groups

Will mark this as a feature request for alternative solutions in the future.