I am trying to make an API using AWS api-gateway and lambda.
Requirements
I am trying to build a dashboard, The dashboard will be for multiple organisations and each organisation will have multiple users who can login and see the respective dashboard.
Example we have a dashboard for Intel and its accessible by User1, user2, user3
A user must be able to login and access the dashboard for his specific Organization and also do CRUD on his data as well
I found out that aws cognito with its user pool can be used for the auth process. After that I intend to use api-gateway with lambda function to query a sql database and populate the frontend. The place where I am stuck at is how do I link the user from cognito to corresponding data in database.
In simple applications we would have a user-table and its a simple query but I would appreciate if someone can suggest a good way to go about implementing this
Related
I want to create a simple notetaking web app with AWS. It should allow individual users to sign up and sign in to CRUD notes. Amazon Cognito almost worked. However, after signing in, all users can have access to all notes, instead of the notes created by the specific user. Can anyone provide some directions on how this should be done on AWS?
For the last few years, I've built a PHP and MySQL based website where users can submit reprographics and IT requests. I'm hoping to make this cloud-based rather than running it from a local webserver. My initial idea was to have an EC2 instance running as a web server for each company which uses my system, but as the system is PHP session based I'm assuming the security would not be great so I think I need to move towards more of an AWS system using Cognito for user management and the API Gateway with Lambda to do the job of getting the data from the databases. My question is, my current system has an admin console where the admin user can access the lists of users, and assign them permissions (session variables) which allows them access to specific pages. How would I make a webpage where users can manage the users in a Cognito user pool without giving them access to the AWS console.
Implement a Cognito AdminAddUserToGroup operation in your Lambda function for admin users to manage what Cognito Groups your users belong to. Your admins will be the only ones that are able to invoke the API call to the Lambda function because they'll be included in the Cognito Admin Group with appropriate permissions to invoke the Lambda function that you specified as the developer.
Specify permissions of what each Congito Group has access to by assigning roles for each Cognito Group.
You can also decode the jwt on the backend to determine what Cognito Group the user belongs to that made the request and use Amplify on the FrontEnd to manage the FrontEnd's display of content based on the Group (links, etc). More info about that can be found in this thread: How do I access the group for a Cognito User account?
I do not have enough points to comment on the CLI update-user-pool suggestion, but wanted you to know that wouldn't work because 1.) It would impact the entire user pool and affect ALL users in the user pool and 2.) It would make no difference in regards to what your users were able to have permission to access in your application.
Me and my team are implementing a product based on microservices architecture(every microservice has it's own data storage). We already have a couple of services deployed on AWS and we need to add an ability to save user preferences like:
Saved filters to query data
UI widget settings
Columns order
etc
I think that we have the following options to implement saving user-preferences in my case:
Extend user profile(it is used to store companies and users, roles) service and add new items there
Create new microservice for keeping only user preferences
Use some of AWS services for that(I am still checking what is the best)
What we use for security:
AWS Cognito
SAML IDP
JWT tokens
We also have user-profile microservice(I mentioned earlier). It contains data received from other products like admin service.
What do you think? What is the best option for my case?
You can use custom attributes (as suggested by #jarmod) if you only use Cognito userpools. But if you use other providers like Microsoft ADFS, Google, Facebook etc., you could look into Cognito Sync. Although Cognito Userpools now support some external providers, it may not be suited for your use case. So, you could integrate various Auth providers (including Userpool) in an Identity pool and use Cognito sync datasets to store preferences. In fact, that is the whole point of Sync, to provide cross device access to small datasets like user-preferences. This way if a user logs in with Userpool & later with Facebook, you could give an option to link both accounts in your application & merge the user preferences. It all depends on your use-case.
I am new to AWS platform. I am trying to build a backend for a mobile app using AWS lambda, API gateway and DynamoDB using Facebook Authentication of AWS Cognito for my app.
A user are able to logged in to app and data should saved in a table with UserID (which I get from Cognito), data1, data2, data3. This only belongs to this. Let's say those are user's activities.
Again when he login to app next time, he should be able to see all his entered data.
I was looking for the example of it, I found this link which is about fine grained access control where the table is Partitioned with a particular user and permission.
https://aws.amazon.com/blogs/mobile/dynamodb-on-mobile-part-5-fine-grained-access-control/
That doesn't sound right. In a regular RDBMS centered app, the application connects to the database using a specific user in a connection string. User specific data is returned to the user using a query that is constructed on the fly with "username = user_id".
Is this above link talking about something different?
I am confused.
Thanks for your time!!
I believe the article you linked is discussing allowing an app to access DynamoDB directly, by calling the AWS API directly instead of going through a backend application layer. It is using variables in the IAM policy to only allow a user to execute queries against the table that contain their ID as the primary key.
In your case the AWS Lambda function is your backend application layer. You could simply assign an IAM role to the Lambda function that allows it to query all records in the DynamoDB table, and build queries in the Lambda function using the UserID as the query key.
I'm trying to query DynamoDB from my web application.
I successfully did that after using IAM and creating 3rd party Roles and make users log in my web app through Facebook or Google, my app obtained a token and created the AWS credentials.
Now, I want any user of my website, to be able to query one of my dynamoDB tables, which should be a public table, I tried doing that with Roles -mocking the previous way- but I always get an error"Missing credentials in config"?
How to avoid that? Is there a way to create AWS Credentials without a token from 3rd party and attach them to the IAM Role, or Did I have to create an IAM user instead with secret key, or is there any other better way to do that?
It sounds like Amazon Cognito is what you need here. If you are looking for an example web application, a recent blog post was published on a sample application using Amazon Cognito to authenticate users to access a DynamoDB table. http://www.infoq.com/articles/mars-rover-application-DynamoDB
Specifically, you may find the section "Application authenticates user via Amazon Cognito" useful.
Hopefully that helps! Good luck!