Reputation: 478
Cognito User Pool Groups not working with different roles
I'm trying to achieve the following: I have a web application that needs different user permissions for some menus and calls to the API gateway.
I have done the following: - Set up a user pool with 2 groups ( Group 1 and Group 2 ) - Assigned users to those groups - Set up 2 policies ( Policy 1 and Policy 2, where policy 1 is the default policy in authenticated role in fed. identites) - Set up the correct trust policies in the roles - In federated identities, under authentication providers, I have set authenticated role selection to choose role from token
On the front, I have decoded the ID token and verified that the cognito:groups etc are correct when initialising a login.
So group 1 is the looser policy allowing everything, and policy 2 is the stricter policy that should not allow calls to a certain resource in API gateway.
But when I assign a user to a group 2 which has the stricter Policy 2, the user still seems to use the policy 1 which allows everything. What am I doing wrong here?
I have the same problem as this thread and done exactly what it says but still no progress
Upvotes: 5
Views: 3661
Answers (2)
Reputation: 3035
Check the role assigned to the user group has a trust relationship. It needs this so it can assume the role of the federated identity provider.
You can build an appropriate role for the User pool groups role by doing this:
- Open AWS console
- Get to IAM section
- Pick roles
- Pick web identity
- Choose Amazon Cognito
- Paste in your Identity pool id (the federated one)
- Click next
- Now add/create policies you need for the user group, like S3 access, or whatever.
- Give the role a name and save it.
- Go to your User Pool group, edit it and assign the role just created.
- Open the Federated Identity
- Set the Authenticated role selection dropbox to
Choose role from token - Optionally set
Role resolutiontoDENY
References:
Upvotes: 9
Reputation: 193
This may be a silly question, but have you assigned an IAM Role to the Cognito User Pools Group?
Further, I would opt for a more restrictive policy precedence. You should apply "normal user" policies as the Authenticated Role and more "admin user" policies as roles to be assumed by users belonging to specific groups.
Similar to:
Group: Admins (Policy A attached) (Precedence 0) Group: Users (Policy B attached) (Precedence 10)
Authenticated Role: Policy B
Upvotes: 0
Related Questions
- Cognito User Pools & Access Tokens
- Can we have Multiple Roles in Single UserPool in AWS Cognito?
- AWS-Cognito: How to assign user roles in the user pool?
- AWS Cognito user pool group precedence - working as expected and useless or broken?
- How to switch IAM roles for AWS Cognito User belonging to multiple User Pool groups?
- AWS Cognito role: Distinguish between Federated Identity Pool roles and User Pool Group roles
- Logged in cognito users don't show up in identity pool
- Cognito User Pool doesn't Retain users
- User Pool with Cognito using IAM Users
- How can I assign AWS Cognito User Pools unauthenticated roles?