I am creating a web app with AWS Cognito to do the authentication and authorization.
Most of the examples I see in the web talks about Identity pools are to give federated access.
In my web app I don't need federated access. But I need to give users different permissions with different IAM roles. As an example users from user pool A and group Admins should have a role which give all the access to the DynamoDB table.
My question is, if I don't need federated identities, do I need identity pools to achieve my requirement?
Identity pool is primarily used to grant users access to AWS resources. It can grant access to users that authenticate using user pool or any of the federated access providers. It can even be used to grant unauntenticated users access. So yes, you will need identity pool to attach a role to. In the identity pool settings select your cognito user pool as access provider.
Related
I don't get the difference between the User Pools > Identity providers and
Federated Identities > Authentication providers.
Can someone explain?
Identity pools (Federated identities) allow you to grant users authenticated by third parties (e.g. login with Google) temporary IAM credentials to use you AWS resources in a limited way. Identity pools are free of cost and you only pay for the resources your users use via the IAM credentials.
User pools allow you to store your own users, they can sign up directly to the user pool and not have to use a third party provider like Google or Facebook. Confusingly user pools also have a 'federation' option (Identity providers) but this will actually create externally federated users in the pool. User pools provide OpenID tokens (access, id, refresh), not IAM credentials, which you can use with your own endpoints (ec2, fargate, api-gateway). User pools have costs associated with them based on the active users per month.
Question
Clarify how a user in AWS can assume an IAM role. It is confusing to me because it appears user/identity in AWS can be different depending on a context such as, IAM User, Cognito User Pool user, Cognito Federated User.
Background
Trying to understand the relations among users and identities in AWS and how each user can assume an IAM role.
Also in AWS, user/unauthenticated and identity (authenticated user) seem to be different concepts and both can assume an IAM role, hence it looks authenticated is not a pre-requisite to assume an IAM role, which is also confusing to me.
IAM User/Identity (identity = user authenticated e.g. via AWS CLI with AWS ID/Secret)
Cognito User Pool User/Identity (authenticated)
Cognito Federated Identity Pool User/Identity (authenticated)
Are there any other user types?
IAM User (authenticated)
I believe this is an identity of a user identified by logging into the AWS console, or via CLI/SDK with an AWS access key ID/secret. This user can assume an IAM role by Switching to a Role (AWS Management Console) or programatically assume-role with CLI/SDK. Is this correct?
Cognito User Pool User
I believe this user exists within Cognito only in an AWS account and has nothing to do with an IAM User. Currently there is no way to map an IAM user to a Cognito user (neither user pool nor federated identity pool) as in Add AWS IAM users to AWS Cognito Pool.
It looks there are few ways to assign an IAM role to a Cognito User Pool user or identity (authenticated user).
One way is to assign an IAM role to a Cognito User Pool Group in which users are added to. An authenticated user in the User Pool Group can assume the IAM role automatically.
Another way is to use a Cognito Federated Identity Pool by federating with a Cognito User Pool and assign an IAM role to the federated identity pool. In this case, an Cognito User Pool user/identity (authenticated) is equivalent with an Cognito Federated Identity Pool user/identity (authenticated).
I suppose a user will be authenticated with a Cognito User Pool workflow via the Cognito Federated Identity Pool. Then the user can assume both the IAM role mapped to the Cognito User Pool Group AND the IAM role mapped to the Cognito Federated Identity (authenticated).
Are these correct, or will the user only be able to assume only one of the IAM roles? What if there are multiple accounts in an AWS organisation. Should each account create its Cognito User Pool to manage the same set of users, or have one Cognito User Pool in an account and share the Cognito User Pool among accounts via a Cognito Fedatated Identities pointing to the User Pool?
Cognito Federated Identity Pool User
If the federation is not with Cognito, such as with Facebook, then an Cognito Federated Identity Pool user/identity has nothing to do with the Cognito User Pool user/identity and the user is that of Facebook. The user can assume an IAM role mapped to the Cognito Federated Identity Pool, even when it is unauthenticated. Is this correct?
Help
I have been looking into AWS Re:Invent videos, AWS documentations but it is a struggle to clearly understand Cognito terms and meanings. If there is a clear, simple, intuitive explanations, kindly provide the references.
I know that user pools allow to authenticate users to my apps, but what about federated identities? As far as I understand, they allow only to grant access to the AWS resources, not to the app. Or am I not right?
Yes, Federated Identities only provide you short term AWS Credentials to access AWS resources. If access to your app is based on AWS resources then you can use Federated Identities otherwise User Pools is a better fit.
I have an embedded device that requires the ability to write to S3. I want to avoid giving the embedded device an actual AWS IAMUser. I am looking at using Cognito to gain write access to S3.
I have a user pool with a group and one user (for now). The group has an attached policy which permits access to write to a certain S3 bucket. The pool is setup so that only admins can create new users. I have managed to authenticate the cognito user and have got access to refresh tokens and the idTokens. I am looking to use these tokens to write to my s3 bucket.
I am trying to follow trying to follow the documentation but am getting confused. I think i need a federated identity pool but i have no requirement for a public provider. I just want my cognito user group to write to s3.
Is there a simple solution to allow a cognito user to write to S3 without federated identities or if not do i require a back end to serve a token for a federated identity?
I have been using warrant https://github.com/capless/warrant to authenticate as so:
from warrant.aws_srp import AWSSRP
import boto3
client = boto3.client('cognito-idp')
aws = AWSSRP(username='<username>', password='<password>', pool_id='<pool>',
client_id='<clientid>', client=client)
tokens = aws.authenticate_user()
Any tips would be greatly appreciated!
You do need a federated identity pool. In the identity provider section you choose Cognito and enter your pool ID and pool client ID. Then, you need to provide the identity pool with authenticated and unauthenticated roles. You can use these roles to provide that S3 write access.
This is the default behavior for the identity provider setup. If you want the Role to come from the group that your user is in, you will need to set the Choose role from token option in the identity provider section under where you provided your pool and client id.
We're using Auth0 to give (federated) users access to Auth0 (we've followed these instructions for setup: https://auth0.com/docs/integrations/aws#sso-with-the-aws-dashboard)
In Auth0 we've setup a simple rule system where the federated user's group membership maps to one of two different IAM roles, which gives the user either full access or read-only access (or no access at all) in the aws console.
However, I'm struggling to see how I can provide federated users with the means to get an access key id/secret linked to their account. Our wishlist is:
The access key id/secret is unique per federated user, and as such is void if the federated user is deleted from the identity provider.
I could manually provision a IAM role per federated user and link each user to his/her "personal" IAM role, but I'd obviously prefer not to.
All in all I guess I'd like there to be a "linked" IAM user representing each federated account.
So I guess my question is: How do allow my federated users access to personal access key id's in aws?
Federated users require temporary access keys which you can grant with aws sts assume-role.