Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS Cognito user pool group precedence - working as expected and useless or broken?

Tags:

amazon-web-services

amazon-cognito

tl;dr:

What is the purpose of being able to add users to multiple groups in a user pool if the group with higher precedence overrides the role of the group with lower precedence? (Instead of stacking the roles)

Situation:

Cognito user pool with 2 groups. Group 'A' has a role with full access to Dynamo with a precedence of 10 Group 'B' has a role with full access to Elastic Search with a precedence of 9

If I add a user to either group alone it works as expected.

However

  • if I add a user to group 'A' and 'B', I'd expect them to have permissions from both groups.
  • it seems the documented functionality states that the user will just have the permissions from group 'B'. If this is the case, what is the purpose of adding users to multiple groups?

I assumed the purpose of being able to add users to multiple groups would be to have the roles stack instead of overwrite. This way...:

  • group A could have perms 1,2,3 with precedence 10
  • group B could have perms 4,5,6 with precedence 9
  • group C could have perms with DENY on 1 with precedence 8

Could result like so:

  • Users in A and B would have perms 1,2,3,4,5,6
  • User in A, B, and C would have perms 2,3,4,5,6

But in reality: - Someone in A and B has perms 4,5,6 - Someone in A, B, and C has no permissions

like image 235
itsDrew Avatar asked Mar 15 '19 10:03

itsDrew

People also ask

How does Cognito user pool work?

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.

What is the main difference between Cognito user pool and Cognito identity pool?

With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.

How many groups can be created in Cognito?

Each user pool can contain up to 25 groups. Additionally, you can add users and remove users from groups within a user pool, and you can use groups to control permissions to access your resources in AWS by assigning an AWS IAM roles for the groups.

How do I change the attributes of an Amazon Cognito user pool after creation?

Short description. You can't change standard user pool attributes after a user pool is created. Instead, create a new user pool with the attributes that you want to require for user registration. Then, migrate existing users to the new user pool by using an AWS Lambda function as a user migration trigger.

1 Answers

It is expected behavior. If you want permissions from both of the groups you'll just have to create another group/role with combined permissions. Groups are for separating users. At any time a user can assume only one role. You can either let cognito decide which role it will assume based on precedence or you can specify it in GetCredentialsForIdentity custom role ARN. Also you can switch between roles behind the scenes whenever you want by calling GetCredentialsForIdentity and switching the role ARN and Make calls using the credentials for specific role.

like image 82
Ninad Gaikwad Avatar answered Oct 17 '22 22:10

Ninad Gaikwad
Sign in to Comment

Related questions

Given a failed AWS API request, how can I debug what permissions I need?
Nodejs AWS Lambda switching to another accounts access and secret key to perform functions
Using List of IAM Policy Document Objects as AWS::Serverless::Function Policies
AWS Cognito completeNewPasswordChallenge calls onFailure method but the user is confirmed in AWS Console
Can we see or edit 'job bookmark' info in AWS glue or where it get stored?
How to setup API gateway to talk to private NLB?
How to break existing CloudFormation stack into separate nested stacks, moving existing resources under nested stack
How can we control number of EC2 instances to be launched by federated user?
Simulate Principal Policy using assumed role
AWS CloudFormation Rate Exceeded
How do I deploy monorepo code to AWS Lambda using lerna?
Django admin ImageField: Upload a valid image. The file you uploaded was either not an image or a corrupted image
Sending SQS message timeout
EMR dyanmodb export failed because of table capacity set to on-demand
Its possible to use AWS Athena using a VPC endpoint?
Error with celery worker in elastic beanstalk (using django and SQS) [ImportError: The curl client requires the pycurl library.]
How to save yourself from AWS charges? [closed]
Global exception handler in AWS .net Core Lambda project?
How to check Memory and CPU usage of AWS Batch job
AWS API Gateway supports CORS for OPTIONS only when using SAM (without Lambda proxy integration)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!