I'm trying to build a web app that can be accessed by any user that signs up with facebook.
I want to use AWS Cognito to speed up the development for users management.
It has to have 3 type of users:
Normal users - any user that logs in with facebook
Editors - users that have a different access level (IAM role?), they can call a specific AWS Lambda function, that normal users can't call.
Administrators - users that can modify the status of normal users to make them editors or admins
Can someone please point me in the right direction? I've set up AWS Cognito Identity Pool but I'm not sure if I have to set up a User Pool or how do I assign a different role or policy to a user to make him an admin or editor (different access levels for other AWS resources), if I can get in my web app the users list from Cognito (only for an authenticated admin) and how do I allow him to modify other users roles.
Some tutorial, documentation or at least a short description of how can I do this would help me a lot.
Optional: let users to not only sign up with facebook but also with email/pass, and have the same functionality.
You should be able to use 'Role Based Access Control' feature of Cognito federated identities. This is the relevant part of the doc:
http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
If you are only using Facebook, you can use Facebook sub to assign appropriate role.
If you are using username and password based sign-in with user pool, you can use group support and create editors group and assign appropriate permissions.
Instead of managing Administrators with federated identities or user pool, probably directly using IAM user will be a better idea. This IAM user will have full permission to modify/add identity pool rules or user pool groups.
Related
I'm looking into AWS Amplify and bumped into Amazon Cognito.
It deals with the authentication part pretty well, but I'm struggling to understand how app authorization works (i.e. what my users can/can't do within my app).
Does anyone know how may I approach setting up RBAC (Role-Based Access-Control) with Cognito User Pools (not Identity Pools)?
I want to be able to let my admin users easily manage & assign other users into roles (not IAM roles). A role may have multiple permissions to indicate what it could do within my app.
Something similar to this (taken from Laravel Backpack Permission Manager repo):
For the last few years, I've built a PHP and MySQL based website where users can submit reprographics and IT requests. I'm hoping to make this cloud-based rather than running it from a local webserver. My initial idea was to have an EC2 instance running as a web server for each company which uses my system, but as the system is PHP session based I'm assuming the security would not be great so I think I need to move towards more of an AWS system using Cognito for user management and the API Gateway with Lambda to do the job of getting the data from the databases. My question is, my current system has an admin console where the admin user can access the lists of users, and assign them permissions (session variables) which allows them access to specific pages. How would I make a webpage where users can manage the users in a Cognito user pool without giving them access to the AWS console.
Implement a Cognito AdminAddUserToGroup operation in your Lambda function for admin users to manage what Cognito Groups your users belong to. Your admins will be the only ones that are able to invoke the API call to the Lambda function because they'll be included in the Cognito Admin Group with appropriate permissions to invoke the Lambda function that you specified as the developer.
Specify permissions of what each Congito Group has access to by assigning roles for each Cognito Group.
You can also decode the jwt on the backend to determine what Cognito Group the user belongs to that made the request and use Amplify on the FrontEnd to manage the FrontEnd's display of content based on the Group (links, etc). More info about that can be found in this thread: How do I access the group for a Cognito User account?
I do not have enough points to comment on the CLI update-user-pool suggestion, but wanted you to know that wouldn't work because 1.) It would impact the entire user pool and affect ALL users in the user pool and 2.) It would make no difference in regards to what your users were able to have permission to access in your application.
I have my enterprise Quicksight in place and with users using our company email to register an account (like john.doe#mycompany.com). We're using Gmail for business.
On the other hand we have developed another application backed by AWS Cognito user pool using Google as an identity provider, and since this is the same user base our intention was to use the same user pool for Quicksight access. In addition we will develop a Lambda that would synchronize Cognito user group association with Quicksight memberships if/when necessary.
I've followed the example described here https://aws.amazon.com/blogs/big-data/use-amazon-quicksight-federated-single-sign-on-with-amazon-cognito-user-pools/, but the problem is that even though I login as different users I get access to Quicksight via same IAM role. The Quicksight user associated with this role has a specific username starting with CognitoQuickSight1-AuthRole-KX4Y16... and email associated with the user I used to login the very first time.
Now I'm wondering if in this setup it's even possible to have different roles associated with different users so they can be differentiated on Quicksight side? Or is there any other way to achieve this?
I don't think you can assign QuickSight user specific permission on Federated users.
Some AWS services allows to use the user identity in the resource base IAM policy. For example S3 (to allow user to access only their 'directory' in a bucket) and DynamoBD (to allow user to only access item where their identity is the primary key).
According to https://docs.aws.amazon.com/quicksight/latest/user/security_iam_service-with-iam.html Quicksight does not support Resource based or Tag based policies.
My production environment uses AWS cognito federated identities (AKA: identity pool) for allowing users to sign in with their Google/FB accounts. This is working fine.
However, for my staging environment I want to offer a similar sign in functionality (that is: users sign in in via Google) but I want to restrict the ability to sign in only to a specific whitelist (of, say, #gmail.com accounts). This is because the staging environment should only be accessed by team members and a bunch of trusted users.
My question is this: is it possible to define a Cognito identity pool that allows only the whitelisted users to sign in? if the answer is "yes", then how?
I know that I can do the whitelist checking at my backend (that is: at the backend of my staging env. I will reject every request not coming from these whitelisted users) but this is a bit unclean. In particular, I want the rejection to happen as early and possible and, ideally, to be carried out by cognito itself, and not by my backend.
Clarifications:
I mentioned a list of #gmail.com accounts as the whitelist. I am open to any other mechanism for defining the whitelist.
In a way I am asking whether I can have user directory functionality (in particular: determining if a user is in a certain group of users) with an cognito identity pool.
The purpose of the Identity pool is to provide access to authenticated identities. Therefore, this resource cannot manage users (ie: white listing a user group).
There are two ways to do this:
Link 3rd Party Identity into a User Pool and white list by User Group. Your user group will have a Roles and permission it will assume that will allow your test users to have the functionality they need without allowing other users who log to have that functionality.
Manage users from the 3rd Party Identity - I am not an expert at Google authentication.. but some OpenID providers allow you to create user groups with different access roles. This is an example for Google.
You can invoke a trigger and execute a lambda function when the user submits their information to accept or deny the sign in request.
We have a lot of systems which have their own authorization mechanisms. Our goal is to expose all of them through IS so we can manage all of them in a single place.
Our users are authenticated in LDAP but their roles are spread through several databases. As far as I can see IS retrieves roles from the domain the user was authenticated. Is it possible to retrieve roles from all user stores ignoring the domain?
I've already tried both RemoteUserStoreManagerService.getRoleListOfUser and using claim http://wso2.org/claims/role.
In WSO2 you can only assign roles to user if roles are in the same user store domain where the user belongs. If the role is an internal role, then you can assign that role to any users in any user stores.
What is the API Service you tried to retrieve roles? and Please explain more about your requirements.
Thanks
Isura