I'm trying to achieve the following: I have a web application that needs different user permissions for some menus and calls to the API gateway.
I have done the following: - Set up a user pool with 2 groups ( Group 1 and Group 2 ) - Assigned users to those groups - Set up 2 policies ( Policy 1 and Policy 2, where policy 1 is the default policy in authenticated role in fed. identites) - Set up the correct trust policies in the roles - In federated identities, under authentication providers, I have set authenticated role selection to choose role from token
On the front, I have decoded the ID token and verified that the cognito:groups etc are correct when initialising a login.
So group 1 is the looser policy allowing everything, and policy 2 is the stricter policy that should not allow calls to a certain resource in API gateway.
But when I assign a user to a group 2 which has the stricter Policy 2, the user still seems to use the policy 1 which allows everything. What am I doing wrong here?
I have the same problem as this thread and done exactly what it says but still no progress
Each user pool can contain up to 25 groups.
With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.
Check the role assigned to the user group has a trust relationship
. It needs this so it can assume the role of the federated identity provider.
You can build an appropriate role for the User pool groups role by doing this:
Choose role from token
Role resolution
to DENY
References:
Fine grained auth
Role based access control
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With