Hi all. I have a Firehose DeliveryStream with an S3 destination that uses dynamic partitioning to generate the S3 prefix based on a customer ID that is included in the PutRecord body.
I would like Firehose to assume the role that is calling PutRecord, so that I can apply an S3 IAM condition using {$aws.PrincipalTag} that prevents customers from uploading records with an incorrect customer ID. Rather than just letting Firehose assume a role which can write to any prefix.
Is that possible? Is there a better way to do this? My customers are authenticated via a Cognito Identity pool, and my identity provider returns the customer ID, so it’s available as a session tag. I’m just not sure how to leverage that with Firehose in the middle.
Thanks!