Attributes for access control are null on AWS Identity Pool

Question

Short question: How should I map user attributes of a user pool to IAM PrincipalTag?

I'm trying to access my API with credentials from an Identity Pool. My identity pool has a congnito user pool as an authentication provider. I'm trying to pass email from cognito userl pool as a Tag key for principal so that I can use it with Permissions policies of my my role with ${aws:PrincipalTag/email}

I get my credentials with cli using aws cognito-identity get-id ... and aws cognito-identity get-credentials-for-identity ...

Unfortunately it is not passing the email as a principal tag (or at least I think so).If I add a tag for the role with [email protected] then my policy works fine.

here is my trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com",
        "Service": "apigateway.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRoleWithWebIdentity",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-2:aa111111-ffff-4444-b666-bc1609f42380"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com",
        "Service": "apigateway.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ]
    }
  ]
}

And here is my permission policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-testapp/${aws:PrincipalTag/email}/",
                "arn:aws:s3:::bucket-testapp/${aws:PrincipalTag/email}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*",
                "cognito-identity:*",
                "apigateway:*",
                "execute-api:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

What did I miss?

Thanks

Answer 1

I know this post is a bit old, but figured since I found it, others might too.

Did you configure the identity pool to pass the default attributes? Particularly these steps from the aws docs:

4. Choose Edit identity pool.
5. Expand the Authentication providers section.
6. In the Authentication providers section, choose the provider tab you want to use.
7. In Attributes for access control, choose either Default attribute mappings or Custom attribute mappings. Default mappings are different for each provider. For more information, see Default provider mappings for attributes for access control.

It doesn't look like "Default Attributes" includes email for cognito. You probably need to follow step 8 on those docs to add a custom mapping for email.

I had a similar issue using "Custom Attributes", but I had accidentally swapped "Tag key for principal" and "Attribute name". Otherwise, my policies looked identical to yours and worked. In case this is the issue you are seeing, "Attribute name" should map to the Cognito attribute value key such as "custom:your-attribute". (I believe since email is not a "custom" attribute, "Attribute name" would just be "email")