I am currently using AWS cognito for user authentication. Now i want to store partial information of the users in the user pool to DynamoDb table. Is there a way to relate Userpool data with DynamoDb ?
You can federate user pool with Cognito identity and get the scoped temporary credentials, you can use these credentials to connect to DynamoDB. This part of developer guide talks about this integration. integrating user pools with identity pools
Related
I'm very new to AWS cognito. I want to send a mail on deleting a user from AWS cognito user pool. I learnt that there is a list of predefined event trigger sources for various user actions such as sign up, sign in, password change etc., but, there is no such event trigger sources for deleting a user. I found few similar questions posted and saw that using cognito sync trigger was recommended and when I tried to follow that, it asked me to select a cognito identity pool to proceed further but there is no identity pool used in my project.
Kindly let me know how can I trigger a lambda function on deleting a cognito user.
Identity pools are used for giving temporary access to you AWS Resources/Services, you can refer the docs
Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.
Since your backend is not using any AWS resource, you can use AWS API Gateway for creating an endpoint which can be hit to trigger the lambda function, as Auth provider of the api you can use cognito. Here is the reference
We are migrating an application from AWS to GCP. In AWS, we use Cognito service for maintaining different types of users inside userpools (for example: SSO users has different userpool and users with email and password are configured in different userpool, for MFA users, they have different user pool) In AWS Cognito, we also leverage certain functionalities like appclient id and secret for generating JWT tokens and authorizer lambda in pre-sign up trigger)
How can we achieve the above implementation in GCP?
Google Identity platform looks like amazon Cognito.
You can use Firebase Authentication as a equivalent of Amazon Cognito. This table provides a comparison between Amazon Cognito and Firebase Authentication.
Setup:
AWS Amplify API w/ GraphQL
AWS Amplify Auth w/ Cognito User Pools
Say the majority of the platform should be accessible by a logged out user. E.g. they should be able to read forum Topics, but if they want to post, they need to sign in.
I see an #auth resolver that I can use, but whenever I try to make a graphQL call to my.url.amazonawscom/graphql to fetch Topics, it says "errorType": "UnauthorizedException". I'm having trouble figuring out how a logged out user can have authorization to publicly accessible data.
AWS AppSync recently launched support for multiple authorization types on the same AppSync API. So you could for example enable cognito user pools as the authorization type on your API and add API_KEY as an additional authorization provider.
After this, you would be able to use the #aws_api_key directive to make selected fields from your schema such as for example getForumTopics be api key authenticated. API Keys are in general considered to give public access.
Also Cognito User Pools and Cognito Federated Identities are separate products. Cognito Federated Identities does indeed have an unauthenticated identity role that you can use to secure top level fields in your schema but it looks like the auth type on your API is set to Cognito User Pools.
In Cognito identity pool you need to set the policy for unauthorized users. Go to Edit Identity Pool and you can see an option where role can be set for unauthorized
I'm currently getting started with aws services. I'm trying to build an admin UI for managing a cognito user pool. E.g I want to have some cognito users to have admin rights for creating new users from the UI etc. I'm a bit confused by the docs on the different ways to integrate authentication in API gateway, Lambda and DynamoDB. Do I need a Identity Pool for that use case? Or just different User Pool roles?
Thank you in advance for any help.
To use AWS resources you do need identity pool. You should create user groups in your user pool and assign them different roles in IAM. After this, create an identity pool and select cognito identity under the authentication providers. Also make sure you select "Choose Role from token".
Question
Why AWS Cognito has two places to federate Identity Providers? I think Identity Pool is supposed to be federated with identity providers and wonder why User Pool also can. Kindly suggest the reason why having two locations.
Cognito Identity Pool can federate identity providers.
Cognito User Pool can federate identity provides as well.
User Pool
User pools are for authentication (identity verification). With a user pool, your app users can sign in through the user pool (which is essentially a user directory in Amazon Cognito) or federate through a third-party identity provider (IdP), for example social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.
After successfully authenticating a user, Amazon Cognito issues JSON web tokens (JWT) that you can use to secure and authorize access to your own APIs, or exchange for AWS credentials (here is where Identity Pool comes into play).
Use a user pool when you need to:
Design sign-up and sign-in webpages for your app.
Access and manage user data.
Track user device, location, and IP address, and adapt to sign-in requests of different risk levels.
Use a custom authentication flow for your app.
Identity Pool
Identity pools are for authorization (access control). With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.
Use an identity pool when you need to:
Give your users access to AWS resources, such as an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon DynamoDB table.
Generate temporary AWS credentials for unauthenticated users (User Pools support anonymous guest users).
Identity pools provide AWS credentials to grant your users access to other AWS services. To enable users in your user pool to access AWS resources, you can configure an identity pool to exchange user pool tokens for AWS credentials.
Sources:
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pools-identity-pools/
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
The Main Difference is how users are saved and what permissions are granted once they signin with idp's using user pool vs identity pool.
So, Federation through User Pool (by themselves) don’t deal with permissions at the IAM-level which doesn't allow for a much more granular set of permissions, with respect to AWS services.
However Identity Pools creates a user from an Identity Provider with unique identities such as an IAM role, they essentially allow you to delegate authorization for AWS resources to AWS itself.
Refer here for scenarios!!
A similar source of confusion is caused by the fact that you can integrate external social providers like Facebook and Google with User Pools directly, without using Federated Identities at all. Using this approach, users can sign up and sign in to your app with their Facebook login, but they never get assigned an IAM role. Instead, the User Pool service automatically assigns these users to a Facebook group, and then maps the attributes of their Facebook profile (e.g. name, email, location) to the user attributes you’ve defined in your User Pool. Again, the key distinction here is not whether the Identity Provider is internal or external, but rather if an IAM role is assigned to the user after authentication.
Hope it Helps.