I am making my first microservice application and the only thing that is not clear to me is user management. I want to have a login page on my web application where users can login. Based on the role that you got you can go to a user management page and see the list of all the users with their according role. An admin should be able to update or delete users.
What I can't seem to figure out is how I would access this user list to perform CRUD operations from the web application on the users persistend in Cognito?
Can someone give me a link or explain to me how this would happen, or how I can make it possible?
Related
I want to create a simple notetaking web app with AWS. It should allow individual users to sign up and sign in to CRUD notes. Amazon Cognito almost worked. However, after signing in, all users can have access to all notes, instead of the notes created by the specific user. Can anyone provide some directions on how this should be done on AWS?
I am trying to make an API using AWS api-gateway and lambda.
Requirements
I am trying to build a dashboard, The dashboard will be for multiple organisations and each organisation will have multiple users who can login and see the respective dashboard.
Example we have a dashboard for Intel and its accessible by User1, user2, user3
A user must be able to login and access the dashboard for his specific Organization and also do CRUD on his data as well
I found out that aws cognito with its user pool can be used for the auth process. After that I intend to use api-gateway with lambda function to query a sql database and populate the frontend. The place where I am stuck at is how do I link the user from cognito to corresponding data in database.
In simple applications we would have a user-table and its a simple query but I would appreciate if someone can suggest a good way to go about implementing this
We have multiple Facebook applications and each has multiple roles (administrators, developers, testers and analytics users).
We want to export all the emails of the users with any of the above roles, but we can't find a way to do it with the developer graph API.
Can we do it with only administrator access to the applications or do we must use the Business Manager API?
You can get all users that have a role in the app via the /{app-id}/roles endpoint.
https://developers.facebook.com/docs/graph-api/reference/v6.0/app/roles
That will only give you their app-scoped user ids though.
Requesting their e-mail would have to happen separately, after you got the IDs - and will likely require that the user granted your app the email permission beforehand.
For the last few years, I've built a PHP and MySQL based website where users can submit reprographics and IT requests. I'm hoping to make this cloud-based rather than running it from a local webserver. My initial idea was to have an EC2 instance running as a web server for each company which uses my system, but as the system is PHP session based I'm assuming the security would not be great so I think I need to move towards more of an AWS system using Cognito for user management and the API Gateway with Lambda to do the job of getting the data from the databases. My question is, my current system has an admin console where the admin user can access the lists of users, and assign them permissions (session variables) which allows them access to specific pages. How would I make a webpage where users can manage the users in a Cognito user pool without giving them access to the AWS console.
Implement a Cognito AdminAddUserToGroup operation in your Lambda function for admin users to manage what Cognito Groups your users belong to. Your admins will be the only ones that are able to invoke the API call to the Lambda function because they'll be included in the Cognito Admin Group with appropriate permissions to invoke the Lambda function that you specified as the developer.
Specify permissions of what each Congito Group has access to by assigning roles for each Cognito Group.
You can also decode the jwt on the backend to determine what Cognito Group the user belongs to that made the request and use Amplify on the FrontEnd to manage the FrontEnd's display of content based on the Group (links, etc). More info about that can be found in this thread: How do I access the group for a Cognito User account?
I do not have enough points to comment on the CLI update-user-pool suggestion, but wanted you to know that wouldn't work because 1.) It would impact the entire user pool and affect ALL users in the user pool and 2.) It would make no difference in regards to what your users were able to have permission to access in your application.
I volunteer at a small local school that teaches data science and I'm trying to understand the procedure behind federated logins, but the Amazon documentation isn't helping and their forums don't seem interested.
We'd like for the students to be able to sign in to our AWS environment using either Facebook, Google, or Amazon.com, instead of manually trying to create a user for everyone who signs up.
The main thing that's unclear is how the students should sign in. Do we need to create a custom webpage using the provided javascript or .net code? We would have to contact our web developer if so. Or do we use the provided domain name? (in this case, https://weclouddata.auth.us-east-1.amazoncognito.com) This comes from the Cognito user pools though, and doesn't seem like it would apply. Besides, when I use it in conjunction with the Google client ID, I get an "invalid request" error.
You can create a custom app "Identity Broker" to create a URL that lets users sign in with Facebook/Google credentials and securely access the AWS Management Console. The broker would perform the following steps:
Verify that the user is authenticated by identity system(Facebook or Google) or use AWS Congnito.
Call the AWS Security Token Service (AWS STS) API operations to obtain temporary security credentials for the user.
Construct a URL for the console that includes the token and redirects the user to the URL on the user's behalf.
Amazon Cognito lets you to easily create customizable UI to sign in users and provides built-in federation with Facebook, Google, Login with Amazon. So you don't have worry about authentication and concentrate building your actual logic(above steps)
Here is a sample app from AWS that shows how to implement a single sign-on solution with C# and windows AD.
Python Code:
Here is the python code on how to construct the console login URL. I have used the sample python code from AWS and 'Hello world' flask app. When you hit the URL it should redirect to the console login, you can set permission using IAM role.
You can provide any login mechanism (Facebook, Google, Amazon etc) to create student account first time.
Ask user to create account using any app login (Facebook, Google, Amazon etc)
On successful login, create user in AWS using https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html API.
Add newly created user in the group https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html
You can create the user group with some specified roles and give permission (Launch EC2 Instances, Access to DynamoDB etc) accordingly.