I have an API deployed on AWS API Gateway. I will have multiple subscribers using my API and each customer would be unique. Is it possible that each customer will have a separate API key unique to him? Or will I have to create those many IAM users in order for them to be unique? If yes for the IAM users, then what is the upper limit of the number of users? I will be doing all this programmatically.
By unique, if you mean that you should be able to identify which request came from who, then you can generate one API Key per subscriber. You can generate up to 10000 API keys per AWS account. More details about API keys here.
By unique, if you mean that each subscriber should have access to a unique set of API resources/methods/stages, then you can create different IAM roles with different levels of permissions and let the subscribers assume the roles. You can create up to 250 roles per account. More details about access permissions here.
Related
In my application I want to users to be able to create an organization i.e. (OrgA) and then have users sign up under said organization using either an invite code or token. Users in OrgA should have access to an Amazon S3 directory (which stores images and files) and access to a database table that has been created for the said organization.
I could not find a solution on how to implement this online and was wondering if using Amazon Cognito groups was a good idea to meet requirements.
This is supported by the Amazon Cognito Service. That is, you can use Amazon Cognito to control permissions for different user groups in your app. This ensures that users have appropriate access to backend resources, determined by the group they belong to. For more information, see Building fine-grained authorization using Amazon Cognito User Pools groups.
I am new to AWS and making some large application with microservice architecture. I am using Cognito user + identity pools for authorization. Organizations have branches, branches have positions, e.g Project Manager, Financial Manager, and a user belong to one of these branches and positions. Users are stored in the Cognito User Pool. I've EC2 and RDS for organization microservice and I'm going to use AWS API gateway with IAM Role-Based Access Control to communicate between microservices but how can I make a relationship between the organization and user microservices?
I was going to use Cognito custom attributes, e.g custom:branch=branchId but if I needed to get the users of this branch that would be impossible. From Cognito docs:
Custom attributes are not searchable.
Should I use DynamoDB table, for relation cognito_user_id | branch_id, or what's the better approach?
How to get single branch users, how to get single organization users and where to write this code ? AWS lambda with DynamoDB ?
If you have no restriction to add table on RDS at organization micro-service, I will say do not use dynamodb as it is an extra component and your system supports relational better than NoSQL. Besides, one more prerequisite for dynamodb is one must be aware of data access pattern.
Create Organizations and Branchs table having one-to-many relation as seperate micro-service. User will be assigned to Branch.
You should write those shared logic to lambda as a service and that lambda will be called by both org and user services. I know that will cost extra integration effort. However, it is far better than adding new service like dynamodb.
I have my enterprise Quicksight in place and with users using our company email to register an account (like john.doe#mycompany.com). We're using Gmail for business.
On the other hand we have developed another application backed by AWS Cognito user pool using Google as an identity provider, and since this is the same user base our intention was to use the same user pool for Quicksight access. In addition we will develop a Lambda that would synchronize Cognito user group association with Quicksight memberships if/when necessary.
I've followed the example described here https://aws.amazon.com/blogs/big-data/use-amazon-quicksight-federated-single-sign-on-with-amazon-cognito-user-pools/, but the problem is that even though I login as different users I get access to Quicksight via same IAM role. The Quicksight user associated with this role has a specific username starting with CognitoQuickSight1-AuthRole-KX4Y16... and email associated with the user I used to login the very first time.
Now I'm wondering if in this setup it's even possible to have different roles associated with different users so they can be differentiated on Quicksight side? Or is there any other way to achieve this?
I don't think you can assign QuickSight user specific permission on Federated users.
Some AWS services allows to use the user identity in the resource base IAM policy. For example S3 (to allow user to access only their 'directory' in a bucket) and DynamoBD (to allow user to only access item where their identity is the primary key).
According to https://docs.aws.amazon.com/quicksight/latest/user/security_iam_service-with-iam.html Quicksight does not support Resource based or Tag based policies.
I'm new to AWS, and i'm using Cognito Identity Pools to allow unverified (unauthenticated) users access to my AWS resources. I want to create users table using DynamoDb and my question is:
Is unauthenticated users ids in Cognito are consistent among devices? Will the id be constant for each device or change due to any reasons?
Can I use Cognito uid to identify a specific user even if he deletes the app for example, and comes back after few months?
THANKS.
Ok, so using the AWS IoT Thing Registry, you can list all your devices. But "you" means the AWS customer, and would list all devices registered under that AWS customer's custom endpoint.
But what if an AWS customer has multiple end users, that authenticate via e.g. Amazon Cognito Identity and they each have a number of devices. You would not want to have an end user list all e.g. thermostats of a specific brand/standard, but only the one actually registered to him. This is a use case I imagine would be very common, yet I can find no example in the AWS IoT sample code or documentation.
My only idea is to use a "UserId" attribute for each thing, and then filtering on this, when doing a ListThings on the thing registry. But how would you make sure that a user could only list his things, and not other users' things - an IAM policy per user?