What is [account:caller-specified-name] in aws:userid for aws Federated users

Question

I would like to ask about 'AWS get Federation Token'.

What I want to do is that someone authorized by using getFederationToken could access ONLY HIS/HER NAMED AWS S3 folder like [bob] or [alice], etc.

Here is what I've done.

Make Temporary Credentials by using getFederationToken for aws:userid

    AWS.config.update({
      accessKeyId: [Removed],
      secreteAccessKey: [Removed],
      region: [Removed]
    });

    var params = {
      Name : 'bob',
      Policy : "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"s3:ListBucket\"],\"Resource\": [\"arn:aws:s3:::mybucket\"]}, {\"Effect\": \"Allow\", \"Action\": [\"s3:PutObject\", \"s3:GetObject\"],\"Resource\": [\"arn:aws:s3:::mybucket/${aws:userid}/*\"]}]}",
      DurationSeconds: "129600"
    }

    var sts = new AWS.STS({apiVersion: '2011-06-15'});

    sts.getFederationToken(params, function(err, data) {
      if(err) 
        console.log(err, err.stack);
      else
        console.log(data);
    });

But I don't know what will be called from ${aws:userid}. AWS User Guide say that [account:caller-specified-name] will be called when the principal is Federated user... However, I checked whether it's [AWS account ID (12-digit number):bob]. It's not..

If you have something to tell me, plz let me know. Thank you.

Answer 1

I've found a solution even not perfect.

[account:caller-specified-name] is working correctly as [123456789012:bob] only with s3 policy, not JS code parameter.

Answer 2

I was looking for an answer to the same question. With some trial and error, I found the solution:

You can use

"arn:aws:s3:::mybucket/${aws:userid}/*\"

but then the folder name must be mybucket/[accountId]:bob

However, depending on where this code is executed, you might want to NOT use your account id as part of an URL or folder name.

You are passing the entire policy anyway, you could simply change the code above to accept the Name:

const tempAccountName = 'bob'; // passed as parameter I presume?

AWS.config.update({
  accessKeyId: [Removed],
  secreteAccessKey: [Removed],
  region: [Removed]
});

var params = {
  Name : tempAccountName,
  Policy : `{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"s3:ListBucket\"],\"Resource\": [\"arn:aws:s3:::mybucket\"]}, {\"Effect\": \"Allow\", \"Action\": [\"s3:PutObject\", \"s3:GetObject\"],\"Resource\": [\"arn:aws:s3:::mybucket/${tempAccountName}/*\"]}]}`,
  DurationSeconds: "129600"
}

var sts = new AWS.STS({apiVersion: '2011-06-15'});

sts.getFederationToken(params, function(err, data) {
  if(err) 
    console.log(err, err.stack);
  else
    console.log(data);
});