Reputation: 1212
AWS cognito custom user roles for authorization
AWS cognito's documentation suggest all the roles around IAM. How to make meaningful role that my application (resource-server) understands?
Upvotes: 4
Views: 3829
Answers (2)
Reputation: 1179
I have used AWS Cognito extensively in my applications and I can try helping you here.
Whatever you are saying is possible using Cognito. I believe you are trying to figure one pattern to map your application roles to Cognito/AWS IAM roles.
All Cognito users in the pool can be segregated under different Cognito Groups. documentation is here -> https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
Each Cognito user group has to be mapped with corresponding IAM Role (permissions you can customize).
Now, these groups need to have one to one mapping with the user role/group in the application.
These groups can be leveraged in 2 different ways. We are considering the design pattern with UI layer (eg:AngularJS) -> AWS APi Gateway -> RestAPI (Lambda/hosted as an application in Beanstalk/container/Ec2/etc.)
The UI controls need to be displayed according to the user group. For example, a super admin will see all the links and menus, full privilege. But for normal end-user, limited links and menus will be visible. In order to achieve this, you can use some of the plugins for AngularJS (may be different in your case) to control the rendering of UI based on group information.
The API layer can be protected by introducing an authorization layer by setting the Authorizer configuration of API Gateway as IAM/Cognito. So before a request hits the API hosted in back-end, API gateway will check whether the requested user group has permission to access the API.
I hope this helps.
Upvotes: 6
Reputation: 8107
Not sure what you mean too much, but roles are for accessing AWS resources. Cognito can be used with an Identity Pool to grant temporary credentials to AWS resources. This means you can put your server/ec2 instance behind an API gateway configured with IAM authentication, and create an authenticated role in your Identity Pool which allows HTTP calls to your API GW.
Upvotes: 1
Related Questions
- Add custom roles to AWS Cognito User Pool Access Token
- Can we have Multiple Roles in Single UserPool in AWS Cognito?
- Specifying User Access Control with Amazon Cognito
- generate role-based claims for aws cognito id token
- AWS-Cognito: How to assign user roles in the user pool?
- AWS cognito: allowing only a certain users (identities) to get credentials
- AWS Cognito and custom roles
- AWS Cognito - authenticate as a user
- Use custom authorization logic with AWS Cognito authentication
- Additional authorization logic for Cognito User Pools User