I don't get the difference between the User Pools > Identity providers and
Federated Identities > Authentication providers.
Can someone explain?
Identity pools (Federated identities) allow you to grant users authenticated by third parties (e.g. login with Google) temporary IAM credentials to use you AWS resources in a limited way. Identity pools are free of cost and you only pay for the resources your users use via the IAM credentials.
User pools allow you to store your own users, they can sign up directly to the user pool and not have to use a third party provider like Google or Facebook. Confusingly user pools also have a 'federation' option (Identity providers) but this will actually create externally federated users in the pool. User pools provide OpenID tokens (access, id, refresh), not IAM credentials, which you can use with your own endpoints (ec2, fargate, api-gateway). User pools have costs associated with them based on the active users per month.
Related
Is using an IdentityPool mandatory with AWS Cognito?
My use case:
My web app has users who can self-signup and will be added to the Cognito UserPool I have set up. I only want to provide access to my backend resources to authenticated users (ie., users belonging to an authenticatedRole IAM role). My requirement is simple enough that a single authenticated role suffices to handle my application's resource authorization requirements and I just want to deny access to all backend resources for non-authenticated users.
Is this possible with just the UserPool and if yes, how do I go about accomplishing this?
Note: I am using CDK to define my Infrastructure as code.
Using an identity pool is by no means mandatory with Cognito. It is completely on a use case basis. A few things to clarify here.
Userpool - For authentication
Identity Pool - For authorization.
Basically, if you want your end users to sign-up, sign-in, and then access AWS resources or make AWS API calls, then you would have to use an Identity pool. So let’s say you have a gaming application where the end user can sign in via FB, Google, or natively (username and password). This is authentication, and here we would be using a Cognito user pool. Now the user, is logged in and playing the game. They make a high score. This high score may need to be added to S3 or a DynamoDB table record for the user. For this, an identity pool is used. An identity pool will help you with vending temporary AWS credentials that the end user can use.
I believe in your use case the userpool should be sufficient. You can grant access to your resources by verifying the access token returned by Cognito for the end user.
I am creating a web app with AWS Cognito to do the authentication and authorization.
Most of the examples I see in the web talks about Identity pools are to give federated access.
In my web app I don't need federated access. But I need to give users different permissions with different IAM roles. As an example users from user pool A and group Admins should have a role which give all the access to the DynamoDB table.
My question is, if I don't need federated identities, do I need identity pools to achieve my requirement?
Identity pool is primarily used to grant users access to AWS resources. It can grant access to users that authenticate using user pool or any of the federated access providers. It can even be used to grant unauntenticated users access. So yes, you will need identity pool to attach a role to. In the identity pool settings select your cognito user pool as access provider.
I have an application wherein I want 2 types of users to belong to the same User Pool. They all authenticate using the same AWS Cognito Federated Identity Pool. The first type of user, Manager, should be able to see all of the other users in their group and change their attributes. The second type, Employee, should only be able to see/change their own attributes, change their own password, forget their own password, etc. I imagine this specific case requires some policy "magic" to create 2 roles, each with different levels of permissions. I figure that each role would be assigned to a different group, with the Manager group getting more power/permissions. But I am confused by the redundancy of role assignments in both Federated Identity Pools and User Pool Groups.
AWS Cognito Federated Identity Pools have 3 role specifiers: "Unauthenticated role", "Authenticated role", and for Authentication Providers, "Authenticated role (selection)."
AWS Cognito User Pool Groups allow you to specify an IAM role.
What is the relationship between Identity Pools and Groups in terms of permissions?
If you are using groups and attaching roles to them you can then choose to use the role that is provided in the token. By default the authenticated role (or unauthenticated role if you have it activated) is used whenever you log in. You can change this behavior by opening your federated identity pool and changing this setting under cognito user pool (which i assume is your identity provider).
Select "choose role from token" to use the role that you have attached to the group that the user belongs to.
Question
Clarify how a user in AWS can assume an IAM role. It is confusing to me because it appears user/identity in AWS can be different depending on a context such as, IAM User, Cognito User Pool user, Cognito Federated User.
Background
Trying to understand the relations among users and identities in AWS and how each user can assume an IAM role.
Also in AWS, user/unauthenticated and identity (authenticated user) seem to be different concepts and both can assume an IAM role, hence it looks authenticated is not a pre-requisite to assume an IAM role, which is also confusing to me.
IAM User/Identity (identity = user authenticated e.g. via AWS CLI with AWS ID/Secret)
Cognito User Pool User/Identity (authenticated)
Cognito Federated Identity Pool User/Identity (authenticated)
Are there any other user types?
IAM User (authenticated)
I believe this is an identity of a user identified by logging into the AWS console, or via CLI/SDK with an AWS access key ID/secret. This user can assume an IAM role by Switching to a Role (AWS Management Console) or programatically assume-role with CLI/SDK. Is this correct?
Cognito User Pool User
I believe this user exists within Cognito only in an AWS account and has nothing to do with an IAM User. Currently there is no way to map an IAM user to a Cognito user (neither user pool nor federated identity pool) as in Add AWS IAM users to AWS Cognito Pool.
It looks there are few ways to assign an IAM role to a Cognito User Pool user or identity (authenticated user).
One way is to assign an IAM role to a Cognito User Pool Group in which users are added to. An authenticated user in the User Pool Group can assume the IAM role automatically.
Another way is to use a Cognito Federated Identity Pool by federating with a Cognito User Pool and assign an IAM role to the federated identity pool. In this case, an Cognito User Pool user/identity (authenticated) is equivalent with an Cognito Federated Identity Pool user/identity (authenticated).
I suppose a user will be authenticated with a Cognito User Pool workflow via the Cognito Federated Identity Pool. Then the user can assume both the IAM role mapped to the Cognito User Pool Group AND the IAM role mapped to the Cognito Federated Identity (authenticated).
Are these correct, or will the user only be able to assume only one of the IAM roles? What if there are multiple accounts in an AWS organisation. Should each account create its Cognito User Pool to manage the same set of users, or have one Cognito User Pool in an account and share the Cognito User Pool among accounts via a Cognito Fedatated Identities pointing to the User Pool?
Cognito Federated Identity Pool User
If the federation is not with Cognito, such as with Facebook, then an Cognito Federated Identity Pool user/identity has nothing to do with the Cognito User Pool user/identity and the user is that of Facebook. The user can assume an IAM role mapped to the Cognito Federated Identity Pool, even when it is unauthenticated. Is this correct?
Help
I have been looking into AWS Re:Invent videos, AWS documentations but it is a struggle to clearly understand Cognito terms and meanings. If there is a clear, simple, intuitive explanations, kindly provide the references.
I know that user pools allow to authenticate users to my apps, but what about federated identities? As far as I understand, they allow only to grant access to the AWS resources, not to the app. Or am I not right?
Yes, Federated Identities only provide you short term AWS Credentials to access AWS resources. If access to your app is based on AWS resources then you can use Federated Identities otherwise User Pools is a better fit.