How can I set up access to specific folders in s3 bucket for each user?

I have made a demo site with netlify identity, and integrated it with square space for subscriptions which I’m happy with, but my use-case is I am designing and building a web app that will be used for sensitive information and images that only the user can access, and is meant to by law be stored on Australian data servers (it’s health information). The best way I have found to do this will be using Amazon S3 bucket located in Sydney server centre.

To restrict access to just the user only I am planning to use AWS Cognito user ID to automatically create and fetch information from [bucket]…/cognitoID/ (user ID folders) which I know is possible (I made this demo app and it works Create a Cognito Identity Pool | Serverless Stack), but I’m not sure how to integrate Netlify Identity with Cognito. I think I need to setup a custom authentication provider within cognito, but not sure what details to input and how to integrate that with my app and Netlify identity.

Planning to use Netlify ID rather than Cognito sign in as I cannot work out how to combine Cognito sign in with a subscription service, whereas netlify integrates quite easily with Stripe.

Hi @suresh.khirwadkar,

I’ve 0 experience with AWS and its services, so my answer might not be correct, but here you go.

Based on the documentation of Auth0 (another identity provider): Integrate with Amazon Cognito, you need to configure and enter a lot of values in your Cognito panel to be able to configure a custom authentication provider. This doesn’t seem possible with Netlify Identity as all you get is an endpoint URL.

With that being said, if you still manage to find a way to achieve this, do let us know, it might help others in future.

Thought someone might say something like that.

How else do sites ensure users cannot see each others’ data and files? I cant be the only one who ever had this issue?? :rofl:

Yes, but maybe they got the work done with AWS’ own identity service instead of integrating it with Netlify Identity or maybe they used something else altogether. While there are guides to upload files from Netlify to S3 like this one, they don’t go over the security part.

Users use Netlify for a variety of purposes, some get creative and do something extraordinary. That’s the reason I said, if you do find a way, do let the forms know so if someone asks this in future, we can say that they’re not the only one who have tried doing that on Netlify. But for now, I don’t think we have a better answer.

However, this is a community forum. There are many Netlify users here who are enthusiastic and go out of their way to help some people. So if one of them has tried this, or knows a thing or two about it, they might chip in.

2 Likes

Thanks. I’ll see what I can come up with, but I’m very new to any coding so not much idea what I’m doing :rofl:

I wonder if there’s a way to gate the content with the stripe key rather than the Amazon login?

Eg cognito sign in allows access to the ‘user files’, but stripe sub profile allows access to the ‘user area’. Notsure if that is possible at all.

Does stripe integrate at all with other providers like oauth?

No. It wouldn’t make sense. oAuth is a term to describe a specific authentication flow, a standardized way to authenticate against an API, it’s not a provider. You use oAuth to authenticate with the Stripe API, for instance.

Is there any reason you can’t use Netlify Identity, or whatever user management system you prefer to communicate with the bucket directly? There is nothing wrong with what you want do to without using Cognito, Cognito is just another user management system, like Netlify Identity, I don’t entirely see why you would mix them.

I get that you want to use Cognito’s options to utilize Amazon access policy’s to restrict access in the bucket, but why can’t you just restrict the access yourself?

Psuedo code

const id_user = get_user_id_from_wherever()

if ( user_bucket_does_not_exist() ) {
  create_user_bucket(id_user)
}

const bucket = get_user_bucket(id_user)