AWS Cognito user pool group precedence - working as expected and useless or broken?

Question

tl;dr:

What is the purpose of being able to add users to multiple groups in a user pool if the group with higher precedence overrides the role of the group with lower precedence? (Instead of stacking the roles)

Situation:

Cognito user pool with 2 groups. Group 'A' has a role with full access to Dynamo with a precedence of 10 Group 'B' has a role with full access to Elastic Search with a precedence of 9

If I add a user to either group alone it works as expected.

However

• if I add a user to group 'A' and 'B', I'd expect them to have permissions from both groups.
• it seems the documented functionality states that the user will just have the permissions from group 'B'. If this is the case, what is the purpose of adding users to multiple groups?

I assumed the purpose of being able to add users to multiple groups would be to have the roles stack instead of overwrite. This way...:

• group A could have perms 1,2,3 with precedence 10
• group B could have perms 4,5,6 with precedence 9
• group C could have perms with DENY on 1 with precedence 8

Could result like so:

• Users in A and B would have perms 1,2,3,4,5,6
• User in A, B, and C would have perms 2,3,4,5,6

But in reality: - Someone in A and B has perms 4,5,6 - Someone in A, B, and C has no permissions

Answer 1

It is expected behavior. If you want permissions from both of the groups you'll just have to create another group/role with combined permissions. Groups are for separating users. At any time a user can assume only one role. You can either let cognito decide which role it will assume based on precedence or you can specify it in GetCredentialsForIdentity custom role ARN. Also you can switch between roles behind the scenes whenever you want by calling GetCredentialsForIdentity and switching the role ARN and Make calls using the credentials for specific role.