Expose IdentityId in cognito_credentials to upload to S3 user folder

README.md

@@ -403,7 +403,7 @@ print(credentials.sessionToken);
 
 #### For S3 Uploads
 
-S3 Uploads using HTTP Presigned Post.
+S3 Upload to user "folder" using HTTP Presigned Post.
 
 ```dart
 import 'dart:convert';
@@ -466,6 +466,7 @@ class Policy {
 
   @override
   String toString() {
+    // Safe to remove the "acl" line if your bucket has no ACL permissions
     return '''
     { "expiration": "${this.expiration}",
       "conditions": [
@@ -517,8 +518,12 @@ void main() async {
   final multipartFile = http.MultipartFile('file', stream, length,
       filename: path.basename(file.path));
 
+  final String fileName = 'square-cinnamon.jpg';
+  final String usrIdentityId = _credentials.userIdentityId;
+  final String bucketKey = 'test/$usrIdentityId/$fileName';
+
   final policy = Policy.fromS3PresignedPost(
-      'test/square-cinnamon.jpg',
+      bucketKey,
       'my-s3-bucket',
       15,
       _credentials.accessKeyId,
@@ -531,7 +536,7 @@ void main() async {
 
   req.files.add(multipartFile);
   req.fields['key'] = policy.key;
-  req.fields['acl'] = 'public-read';
+  req.fields['acl'] = 'public-read'; // Safe to remove this if your bucket has no ACL permissions
   req.fields['X-Amz-Credential'] = policy.credential;
   req.fields['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256';
   req.fields['X-Amz-Date'] = policy.datetime;
@@ -550,6 +555,19 @@ void main() async {
 }
 ```
 
+The role attached to the identity pool (e.g. the ..._poolAuth role) should contain a policy like this:
+
+```json
+{
+    "Effect": "Allow",
+    "Action": [
+        "s3:PutObject",
+        "s3:GetObject"
+    ],
+    "Resource": "arn:aws:s3:::BUCKET_NAME/test/${cognito-identity.amazonaws.com:sub}/*"
+}
+```
+
 #### For S3 GET Object
 
 Signing S3 GET Object using `Authorization` header.
@@ -866,4 +884,3 @@ CognitoCredentials _credential = new CognitoCredentials('ap-southeast-1_xxxxxxxx
 await _credential.getAwsCredentials(accessToken, 'graph.facebook.com')
 print(_credential.sessionToken);
 ```
-

lib/src/cognito_credentials.dart

@@ -16,6 +16,8 @@ class CognitoCredentials {
   String secretAccessKey;
   String sessionToken;
   int expireTime;
+  String userIdentityId;
+
   CognitoCredentials(String identityPoolId, CognitoUserPool pool,
       {String region, String userPoolId}) {
     _pool = pool;
@@ -30,14 +32,14 @@ class CognitoCredentials {
     if (expireTime == null ||
         DateTime.now().millisecondsSinceEpoch > expireTime - 60000) {
       final identityId = CognitoIdentityId(_identityPoolId, _pool);
-      final identityIdId = await identityId.getIdentityId(token, authenticator);
+      userIdentityId = await identityId.getIdentityId(token, authenticator);
 
       authenticator ??= 'cognito-idp.$_region.amazonaws.com/$_userPoolId';
       final Map<String, String> loginParam = {
         authenticator: token,
       };
       final Map<String, dynamic> paramsReq = {
-        'IdentityId': identityIdId,
+        'IdentityId': userIdentityId,
         'Logins': loginParam,
       };