I am creating an app using vue3 and amplify. My app needs to have 2 different user types. I am able to add 1 user type using amplify auth API and that user type is able to register and log in. However, when I do amplify add auth to add a second Cognito pool, I get the result: "Auth has already been added to this project. To update run amplify update auth."
Is there a way to support this either through amplify studio or amplify cli?
No, it is not possible to add two user pools. Instead, you can use single user pool and create different groups for different user types inside that user pool.
Could you elaborate more on your user case? If you really need two user pools, there might be also advanced ways to solve your case. For example, using Cognito Federated Identities (identity pools) and adding two user pools as authentication providers.
Related
After importing an existing user pool into a new amplify application, i no longer have the option to delegate api access using user pool groups from the CLI.
Building an application using React and amplify. Used command line to create cognito user pool auth and then created groups within this user pool. This allowed me to delegate api access based on the unique user groups. Whooopeee! Then... I started building a second application with the same user pool imported. Tried to follow the same process from the command line and restrict api access using user pool groups but it seems that aws CLI doesn't even register the user pool groups and only gives me the options to restrict by guest and authentication. Does anyone have a solution to this problem? Thank you.
I am working on a Project and in there I have used AWS Cognito for basic Authentication for My Web Application; In this web Application I am providing multiple role-based Authentication (Like Super User, User, Admin, Super Admin) and for that right now I have created different Userpools for each. Is there another way to achieve the same functionality? like I can use single Userpool and still can achieve Role-based Authentication. Also, which one is the Appropriate?
You can setup different groups in the same Cognito User Pool.
In your case Super User, Admin and Super Admin. Then assign your users to the group that they belong to. In your backend code you will then need to check what group the user is in by looking up the group that the user belong to.
See this link for more details: cognito-user-pools-user-groups
We have a Cognito user pool that we'd like to migrate to a new User Pool to take advantage of some different configuration. However, our pool contains users signed up with email, Google, and Facebook.
I understand how to migrate email/password accounts, but I do not understand how social accounts should be migrated.
From this issue, I can see that there's no way to use a different auth flow, so I'm guessing there's also some limitation surrounding social accounts as well?
One method that we had thought of would be to actually manually import the social accounts. Is this the correct way to handle migrating social accounts to a new pool? Is there a different "AWS Sponsored" method? Any help would be appreciated!
Thanks!
Commenting back with a solution that ultimately would have worked, but we are now starting to pick up a different auth provider instead, so opted not to do this.
The method that we would have used is to create the user in the new Cognito pool as a Cognito Native user. Then, during social sign in, you simply need to link the social account to the Cognito Native user.
For anyone just starting out with Cognito, I would highly recommend that you set up your presignup trigger to always create a Cognito Native user for each social sign in and link the accounts together right away. This will save you an enormous headache later on when you have duplicate accounts or need to migrate.
For reference, this answer describes how to set up the presignup trigger to handle the linking.
For the last few years, I've built a PHP and MySQL based website where users can submit reprographics and IT requests. I'm hoping to make this cloud-based rather than running it from a local webserver. My initial idea was to have an EC2 instance running as a web server for each company which uses my system, but as the system is PHP session based I'm assuming the security would not be great so I think I need to move towards more of an AWS system using Cognito for user management and the API Gateway with Lambda to do the job of getting the data from the databases. My question is, my current system has an admin console where the admin user can access the lists of users, and assign them permissions (session variables) which allows them access to specific pages. How would I make a webpage where users can manage the users in a Cognito user pool without giving them access to the AWS console.
Implement a Cognito AdminAddUserToGroup operation in your Lambda function for admin users to manage what Cognito Groups your users belong to. Your admins will be the only ones that are able to invoke the API call to the Lambda function because they'll be included in the Cognito Admin Group with appropriate permissions to invoke the Lambda function that you specified as the developer.
Specify permissions of what each Congito Group has access to by assigning roles for each Cognito Group.
You can also decode the jwt on the backend to determine what Cognito Group the user belongs to that made the request and use Amplify on the FrontEnd to manage the FrontEnd's display of content based on the Group (links, etc). More info about that can be found in this thread: How do I access the group for a Cognito User account?
I do not have enough points to comment on the CLI update-user-pool suggestion, but wanted you to know that wouldn't work because 1.) It would impact the entire user pool and affect ALL users in the user pool and 2.) It would make no difference in regards to what your users were able to have permission to access in your application.
I am using AWS Cognito. I have a pretty common scenario: users can register in different roles. Depending on the role different user attributes are required, so I need to use different user pools.
Now a user wants to upgrade from role A to role B - thus I would have to move his account from one pool to another. Is this possible with AWS? The response in Can you export/migrate users out of AWS cognito, does it cause vendor lock-in? seems to indicate the opposite.
If not possible this way, what would be a viable solution to achieve requiring different user attributes depending on different user roles with AWS Cognito. (NOTE: requiring / verifying them only on the front end is not a viable solution)
I know this question is a bit dated, but it is possible that this scenario is best solved by using Groups instead of a separate user pool for each role. See here
If you reach this link to find out how to transfer users to a new pool (for instance, you needed to create a new user pool in order to change how your users log in), then there isn't a built in way to do this. However, there are solutions that you could build in order to migrate users, which is referenced here:
Create your new user pool.
Modify your client to do the following:
On failed sign in with new user pool, attempt sign in with old user pool.
If existing user pool sign in is successful, use the username and password that was submitted to the existing sign in to create a user on the new user pool.
Possibly do something to remove the user from the old user pool or mark as migrated.
You can export users and import them to a new user pool with a CSV file, but your users will have to change their password.