I have an app built in AWS Amplify that uses a cognito user pool for my user base.

In the associated identity pool, I have gone to the Attributes for access control subtab and am using the default mappings. I was having trouble with custom attributes from the user pool so I thought I would get it working with default mappings first.

username – sub client – aud

I am now trying to set a condition using these attributes, condition below:

“Condition”: {
“StringLike”: {
“aws:PrincipalTag/username”: “users_sub_value”
}
}
I get the below error message when trying to run my operation : Error AccessDeniedException: User: <<ASSUMED_ROLE>> is not authorized to perform: dynamodb:PutItem on resource: <<DYNAMO_TABLE>> because no identity-based policy allows the dynamodb:PutItem action

I have tried using the below, just in case but that throws the same issue

“Condition”: {
“StringLike”: {
“aws:PrincipalTag/username”: “*”
}
}
I have done a Null check as well but same issue.

Can anyone shed any light on why this may be happening, or what I may have missed? Is there any way for me to debug what is actually present in the PrincipalTag as well, as currently I am stumped because I have no idea of actually figuring out why the condition is failing in the first place because I do not know what is present “aws:PrincipalTag/username”