Cognito User Pool Groups not working with different roles

Question

I'm trying to achieve the following: I have a web application that needs different user permissions for some menus and calls to the API gateway.

I have done the following: - Set up a user pool with 2 groups ( Group 1 and Group 2 ) - Assigned users to those groups - Set up 2 policies ( Policy 1 and Policy 2, where policy 1 is the default policy in authenticated role in fed. identites) - Set up the correct trust policies in the roles - In federated identities, under authentication providers, I have set authenticated role selection to choose role from token

On the front, I have decoded the ID token and verified that the cognito:groups etc are correct when initialising a login.

So group 1 is the looser policy allowing everything, and policy 2 is the stricter policy that should not allow calls to a certain resource in API gateway.

But when I assign a user to a group 2 which has the stricter Policy 2, the user still seems to use the policy 1 which allows everything. What am I doing wrong here?

I have the same problem as this thread and done exactly what it says but still no progress

Answer 1

Check the role assigned to the user group has a trust relationship. It needs this so it can assume the role of the federated identity provider.

You can build an appropriate role for the User pool groups role by doing this:

• Open AWS console
• Get to IAM section
• Pick roles
• Pick web identity
• Choose Amazon Cognito
• Paste in your Identity pool id (the federated one)
• Click next
• Now add/create policies you need for the user group, like S3 access, or whatever.
• Give the role a name and save it.
• Go to your User Pool group, edit it and assign the role just created.
• Open the Federated Identity
• Set the Authenticated role selection dropbox to Choose role from token
• Optionally set Role resolution to DENY

References:

Fine grained auth

Role based access control