After quite a battle I have written a testing desktop app that allows a user to authenticate with AWS Cognito. I can allow AWS to handle the authentication, password storage, etc. This solves some issues - why reinvent the wheel?
Now my question is I have various resources in the app that needs granular permissions for. How would I use Cognito to control access to non AWS resources in my app?
I would recommend using a custom attribute since you mentioned non-AWS services. Creating an attribute named customer:role with the value of ROLE_USER, ROLE_ADMIN and so on.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes
Once they are authenticated in the app you can control their permissions from decoding the custom attribute. This tutorial is more for permissions with AWS services in a SAAS multi-tenant approach. However, I found it extremely useful to learn from.
https://aws-quickstart.s3.amazonaws.com/saas-identity-cognito/doc/saas-identity-and-isolation-with-cognito-on-the-aws-cloud.pdf
Related
There is a web application (Angular front-end, Laravel Backend, Postgress DB).
Current approach:
Laravel auth package is being used for user management, but due to expanding of scale and managing permission at their most granular level, where every user may have multiple roles on different organizations (one of the entities of the system) and so they should have different access levels to the data of each organization (very similar to how GitHub is managing users and go).
Challenge:
Implementing a custome user management piece is time-consuming with costs. Also, it will end up with too much complexity.
Looking forward to:
Use AWS Authentication and Access management tools, so that it covers everything about the user, roles, and permissions, and integrate that with my application.
What I found so far:
It seems that these tools are mostly for managing access of the AWS resources rather than managing access inside an external application (As far as I have gone). So the main question that remains here is, can't these services even simplify the process? If they can, how far and how?
Note: The most closely related answer I could reach so far is Can I have dynamic User specific permissions using AWS IAM / Cognito?
I have a simple shell script which issues several commands using awscli and displays information to the screen. It depends on having correct settings in ~/.aws/config and ~/.aws/credentials. I want to distribute it to about 10 users who have IAM accounts with limited privileges. However I don't want to use the shell - I want something cross-platform, easy to use for the users and easy for me to update. So I decided that I want to create a simple web application in JS instead, using the AWS SDK.
It seems that this use case is specifically supported by AWS, the first bullet point under "Common Use Cases" in What Is the AWS SDK for JavaScript? is "Build a custom console to AWS services in which you access and combine features across Regions and services to best meet your organizational or project needs" which exactly describes what I want to do.
The problem is that I can't find the relevant documentation on how to perform the user authentication. All the examples that I was able to find talk about some "Amazon Cognito" service and discuss much more complicated use cases, such as authenticating pools of external users through an external authentication provider and mapping them to IAM roles, which sounds too complicated for what I want to do. Is there a way to just authenticate the users that I have with their IAM user/password, and authorize them to access the AWS services based on their existing IAM permissions? Or is using Cognito, creating additional roles, etc. mandatory?
While writing this question I found out another question about AWS Amplify and now I'm even more confused. Is AWS Amplify what I would want to use?
You can write a web app using the AWS SDK for JavaScript that invokes various AWS Services. You do NOT need to use AWS Amplify to create a web app.
A Web application that uses the AWS SDK for JavaScript uses creds like any other AWS app. Here is an AWS tutorial that shows how to use the AWS SDK for JavaScript to write a basic web app that invokes the AWS SQS service. It will hopefully point you in the right direction.
Creating an example messaging application
This topic covers Prerequisites and other information, such as creating the required AWS resources, you need to know to write a web app using the AWS SDK for JavaScript.
Also - the link you referenced was the JavaScript V2 DEV Guide. Its better to use the AWS JavaScript V3 DEV Guide.
I'm doing some analysis for a customer regarding multiple end-user applications they run. Right now, both have a separate user databases and now want to provide an SSO experience.
They threw out a bunch of SSO providers, specifically the new AWS SSO service. From reading what AWS SSO, my question is, AWS SSO seems more applicable for managing internal users for a company (ie using the same credentials for JIRA, sharepoint, and their company portal) and not really applicable for handling hundreds of thousands of end-user customer accounts.
Is my understanding of the purpose of AWS SSO correct? Like, I'm sure AWS SSO could work with end-user clients, but is that the applicable use case here? Is there a better SSO provide in this case to deal with SSO for end users?
Definitely, is not a good choice for end-users.
This is the entry splash at AWS Console.
Before you can start managing SSO access to your AWS accounts, you must go to the AWS Organizations console and create an organization with All features enabled. For more information, see AWS SSO Prerequisites
Look at this splash from AWS Console
AWS Organizations console and create an organization
That phrase explains what target was created for. So you're right:
AWS SSO seems more applicable for managing internal users for a company (ie using the same credentials for JIRA, sharepoint, and their company portal) and not really applicable for handling hundreds of thousands of end-user customer accounts.
I recommend you to use AWS Cognito as Single-sign-on
Using Cognito you will have a few challenges:
The problem would be passing token(with an expiry value) from site A to B securely. There is no built in SSO facility provided by Cognito. You would have to manage the encrytion, storage & transfer of tokens yourself. Reference: How to use AWS Cognito as Single-sign-on?
Take a look at this post:
Use Amazon QuickSight Federated Single Sign-On with Amazon Cognito User Pools
Hope this gives you a little more information to accomplish your scenario.
I'm considering AWS IAM vs usual ACL (django-guardian, passport.js, ...) to manage permissions and monitor the costs per user on my current project.
I wonder if IAM can be used to manage authorization of the application users or if it is only aimed to the developer team ?
Is there some examples of people using it this way on a regular basis ?
Is it a good practice ?
Will there be some caveats or hard limitations? (if you've experience it)
I already found this 2 years old answer : Should you use AWS IAM roles and permission for application users? but it lacked a return of experience on this question
You can use AWS Cognito UserPools with Users and Groups feature to handle both authentication and authorization of your web application.
For more information refer the Amazon Cognito Groups and Fine-Grained Role-Based Access Control blog post by AWS.
IAM is mainly built to provide authentication and authorization to AWS Services but not for web application. Because of this, it will become challenging to use IAM for web application authentication and authorization.
I recommend AWS Cognito instead.
IAM is suited better for developers and applications/services.
Is it possible to use the IAM API as a user registration service for my application.
I.e. if i present the user to create an account and password. Can they then log in with the IAM and use my application.
Or is it more for developers who are tinkering around with the actual AWS platform?
Thanks,
Ben
That's not what AWS Identity and Access Management is made for. I guess you don't want your users to have access to your infrastructure … If you want an user registration you should implement it inside your application.