I have a cognito identity pool that assigns a principal tag named home. I create credentials with fromCognitoIdentityPool (which ultimately calls AssumeRoleWithIdentity ).
Further, I use these credentials to invoke a lambda named locate which has the following policy for allowing access to only items with primary key same as the value of home:
- Statement:
- Action: [dynamodb:GetItem]
Effect: Allow
Resource: !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${PlacesTableName}"
Condition:
ForAllValues:StringEquals:
dynamodb:LeadingKeys:
- "${aws:PrincipalTag/home}"
However, this condition always fails and I get access denied exception:
AccessDeniedException: User: arn:aws:sts::...:assumed-role/...-UserRole-.../Locate is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:...:table/Places because no identity-based policy allows the dynamodb:GetItem action
Any ideas?