EDIT:
I updated the leadingkey from userId to sub, which per AWS documentation should match the userID from the signed in user ie ${cognito-identity.amazonaws.com:sub} and it still doesn't work
I have a DynamoDB table setup through MobileHub and I've been able to PutItems on it until today when I deleted my Cognito Pool and Made a new one. The table in question is HighScore. The UserDetails table is unaffected
I'm able to authenticate and get resources requiring "auth" access, but for some reason, access is denied when attempting to PutItem.
The error is:
Error Domain=com.amazonaws.AWSServiceErrorDomain Code=6 "(null)" UserInfo={__type=com.amazon.coral.service#AccessDeniedException, Message=User: arn:aws:sts::123456789012:assumed-role/appName_auth_MOBILEHUB_AppId/CognitoIdentityCredentials is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:us-west-1:123456789012:table/appName-mobilehub-appId-HighScore}
Here's my IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:ListTables",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": [
"arn:aws:dynamodb:us-west-1:123456789012:table/appName-mobilehub-appId-HighScore",
"arn:aws:dynamodb:us-west-1:123456789012:table/appName-mobilehub-appId-UserDetails"
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-1:123456789012:table/appName-mobilehub-appId-HighScore",
"arn:aws:dynamodb:us-west-1:123456789012:table/appName-mobilehub-appId-UserDetails"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
There seems to be a bug with fine-grained access control here as removing the condition statement (even after changing it so it matched the table's key) resolved the issue.