Menu
Is it possible to assume the IAM role iam-role1 linked to Cognito group cognito-group1 of cognito user cognito-user1 in Cognito User Pool cognito-user-pool1?
My configuration:
Cognito User pool cognito-user-pool1:
cognito-user1 belongs to cognito-group1cognito-group1 has assigned to iam-role1 .Cognito Identity pool cognito-identity-pool1:
cognito-user-pool1iam-role1IAM:
iam-role1 has policy to access S3 ReadOnlyThis code allows me to authenticate to Cognito User Pool:
AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient();
CognitoUserPool userPool = new CognitoUserPool("user-pool-id", "client-id", provider);
CognitoUser user = new CognitoUser("cognito-user1", "client-id", userPool, provider);
InitiateSrpAuthRequest authRequest = new InitiateSrpAuthRequest()
{
Password = "cognito-password1"
};
AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(authRequest);
Then get the credentials from cognito identity pool cognito-identity-pool1 linked to cognito user pool cognito-user-pool1:
CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials("identity-pool-arn", RegionEndpoint.USEast1);
using (var client = new AmazonS3Client(credentials))
...
255
When a user is authenticated with Cognito User Pool cognito-user-pool1, the id token includes cognito groups and iam roles:
"cognito:groups": [
"cognito-group1"
],
"cognito:roles": [
"arn:aws:iam::xxx:role/iam-role1"
],
We need configure Cognito Identity Pool to choose role from token when user is authenticated:
We also need to allow Cognito Identity Pool to assume this role by editing trust relationship in IAM role iam-role1:
{
"Version": "2012-10-17",
"Statement": [
...
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
}
55
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With