I've currently implemented a cognito user pool for my app and used it on the api-gateway to secure my functions. Its all working well, but here's my problem. I have 2 lambda functions: CreateEmployee and DeleteEmployee. How can I set that only specific users has access to the DeleteEmployee function?
Add custom authorizer and in api getway add in authorizer.
Inside custom authorizer lambda add ur logic to allow denied access as per your requirements .
You can use user groups to assign different roles to different group of users. Create two roles one with delete access and one without. Now add users to groups as you require.
You can find the details of group based role access here: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/
Related
summery
I'm gonna implement AWS Lambda Authorizer by Cognito.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
But I'm not sure how to limit the access to api/lambda based on user.
For example,
Cognito user pool has two users: user-1, user-2
And there are two AWS Lambda Function for API : lambda-1, lambda-2
In this senario, I want user-1 to access only to lambda-1 and user-2 to lambda-2
please give me the solution to achieve it.
regards,
If you want fine-grained control, you're better of using a lambda authorizer. This would still allow you to do authentication using Cognito.
In your Lambda function, you can return an IAM policy based on the user that is authenticated and restrict the access to only the API paths that you want them to access. You can then simply put both lambdas behind different paths of your API.
I want to assign specific role for registered user to distinct access in application. As instance I need roles: admin, operator.
Is it possible to do with Laravel Passport?
Whats difference between grand and role?
There are no such thins as roles on passport, you have scopes. As for the grant types they define a flow which your app should follow in order to get valid credentials, i recommend you to read the following article and to look for oauth2 documentation so you get a little more insight on the matter.
https://laravel-news.com/passport-grant-types
#Karim soubai already mention how to achieve roles.
We are building a number of microservices using API Gateway+lambda+DynamoDB. We need to secure these APIs using Cognito which we are using for user management. We will have a user pool and two groups with a different IAM role attached to each group. The need is users in one group should not be able to access all services and so the users in other group.
Any suggestions, how we can implement this?
The issue is ID token generated by Cognito is not validated by API gateway to check what level of access user has. All it checks is if Cognito ID token is valid or not.
You can use API Gateway custom authorizers to validate policies attached to each group.
From AWS Documentation:
You can use groups in a user pool to control permission with Amazon API Gateway. The groups that a user is a member of are included in the ID token provided by a user pool when a user signs in. You can submit those ID tokens with requests to Amazon API Gateway, use a custom authorizer Lambda function to verify the token, and then inspect which groups a user belongs to.
Additional references to implement:
https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/
https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/
I have created my Amazon Cognito user pool and added few users. Added custom attributes in Cognito to differentiate between normal user and admin user. Exposed a REST API (for only admin users) to get the profile information of the given user using API Gateway and Lambda Engine to access my RDS DB instance to get few fields for that user from my DB.
I want to access the Cognito user profile information with the given username/subId from Lambda Engine / API Gateway.
I know with the given ID Token in API Gateway we can access the user profile details. But as a admin user I need to access details of other users with the given username from API Gateway or Lambda.
Kindly share, if you know how to get the user profile information from Cognito.
You are not mentioning which technology you are using to execute your Lambda functions.
Depending on SDK you will get an context object containing lots of information or you can read out the environment variables.
E.g. for Java the Lambda function gets a context object.
You could retrieve the identity from that one using:
context.getIdentity()
Update:
For Python it basically works the same way.
There is a context object as well. You can access it using context.identity.
In our system we are currently using UAA for user authentication. There is also a need to put in place access control for resources. A resource is defined as a runtime entity created by user. The access to the resource is dependent on which group he belongs too. In order to achieve that I want to create custom groups and roles in UAA and attach privileges to the groups and roles. Is there provision to add custom groups and roles in UAA? If not how can it be done?
You can always add custom groups with Rest APIs or commands.
Here is the command line example.
-Get the token for an admin client
uaac token client get admin -s adminsecret
-Create the group
uaac group add custom.group
-Add a user to the group
uaac member add custom.group user1
The user1 token will start showing the custom.group in its scope list.
You must of course also need to add the custom.group entry in the scope of the client you are requesting token with. If the client does not have it in its scope list, the user1 token returned will also not show the custom.group in its scope.