Reputation: 763
Give Lambda fine grained access to DynamoDB based on Cognito Credentials
I currently have a number of Lambdas which query a DynamoDB. The Lambda is exposed/invoked via an API Gateway REST API which is configured to use AWS_IAM authorization.
My Cognito user pool is currently assigning different IAM roles based on various information, and most importantly, the IAM role is limiting access to the specific row on the DynamoDB that matches the user's Cognito Identity ID. These roles work as expected, and when querying the DynamoDB directly, the roles only allow a user to read their own row.
However I need some manipulation done before returning the data to the user, so I currently have the lambda performing the query instead of accessing dynamo directly. The lambda is obviously configured with its own Lambda Execution Role which currently gives read access to the entire DB.
However what I am trying to do is to pass the users Cognito Credentials through Api Gateway, through to Lambda and then have lambda assume the IAM role of the logged in user before making the dynamo query, thereby only allowing the Lambda to read from the user's own row in the DynamoDB.
I've spent a few days trying everything from AWS_IAM authorization, to Cognito User Pool Authorization and any other ideas I've found online, however I have never actually managed to get the Lambda to assume the role.
Currently I have "Invoke using caller credentials" enabled for the Api Gateway method, and my code is reading the Cognito Identity ID from the event as such:
const cognitoIdentityId = event.requestContext.identity.cognitoIdentityId`
And I am passing this into the Dynamo query, however
1) I'm not sure if this is secure enough / would allow someone to manipulate a request to access someone elses data.
2) I'm no expert, but it "feels" like I should be using a fine-grained IAM role for this, rather than just relying on my Dynamo query being correct
If anyone can advise if I am approaching this the right way, or if it's even possible, or if there is a better approach that would be great.
Thanks!
Upvotes: 3
Views: 654
Answers (1)
Reputation: 4480
You can get temporary credentials for your cognito identity to get temporary access key, secret key and sessions key. These expire after an hour just like the access and id token. But you can use these credentials to let the lambda assume the role of your logged in user. You can find the documentation for getting these credentials here.
Upvotes: 3
Related Questions
- AWS DynamoDB with Cognito user-scoped access?
- User Authentication (Signup & Login) on AWS with Lambda, Cognito or IAM
- Cognito authorizing a user through AWS lambda function
- DynamoDB fine-grain access with Lambda
- How to grant access only to user-specific resources (DynamoDB, S3) when calling a Lambda function from an API Gateway method using Cognito
- AWS: Restrict Cognito Authorized User to specific Lambda Functions
- Use custom authorization logic with AWS Cognito authentication
- How to implement authorization based on user property from Cognito User Pool (or DynamoDB)?
- AWS Cognito, Lambda, User credentials in DynamoDB
- AWS Cognito + my own identity solution using DynamoDB?