We are building a number of microservices using API Gateway+lambda+DynamoDB. We need to secure these APIs using Cognito which we are using for user management. We will have a user pool and two groups with a different IAM role attached to each group. The need is users in one group should not be able to access all services and so the users in other group.
Any suggestions, how we can implement this?
The issue is ID token generated by Cognito is not validated by API gateway to check what level of access user has. All it checks is if Cognito ID token is valid or not.
You can use API Gateway custom authorizers to validate policies attached to each group.
From AWS Documentation:
You can use groups in a user pool to control permission with Amazon API Gateway. The groups that a user is a member of are included in the ID token provided by a user pool when a user signs in. You can submit those ID tokens with requests to Amazon API Gateway, use a custom authorizer Lambda function to verify the token, and then inspect which groups a user belongs to.
Additional references to implement:
https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/
https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/
Related
As my app is designed using flutter and all my app endpoints are created using Springboot. So can call direct APIs using Feignclient in Springboot to create my own endpoint to list all the envelopes for one recipient?
Do we have any endpoint to get all the envelopes by using the recipient name or email id? for example XYZ user needs to sign in 2 envelopes then using XYZ can we be able to fetch those 2 envelopes?
Yes, you are very welcome to call the eSignature REST API directly and not use an SDK. Use API version 2.1. About half of the developers who use the API do so directly.
Updated: authentication
To call the eSign REST API, each of your API calls must include authentication via an access token. You can obtain an access token via an OAuth flow.
If your users have DocuSign user accounts, then they should login/authenticate via Implicit grant assuming that you're using Flutter for a mobile app.
If your users don't have DocuSign accounts (they are signers, not senders), then you need to have a backend server that can securely use the JWT grant flow to obtain an access token on behalf of a "system" account such as "finance#example.com"
If you have questions about authentication, please open a new question on StackOverflow.
https://developers.docusign.com/docs/esign-rest-api/reference/envelopes/envelopes/liststatuschanges/
This endpoint has lots of filtering options including:
email={email_address} Limit results to envelopes sent by the account user with this email address.
user_name must be given as well, and both email and user_name must refer to an existing account user.
user_name={user_name} Limit results to envelopes sent by the account user with this user name.
email must be given as well, and both email and user_name must refer to an existing account user.
summery
I'm gonna implement AWS Lambda Authorizer by Cognito.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
But I'm not sure how to limit the access to api/lambda based on user.
For example,
Cognito user pool has two users: user-1, user-2
And there are two AWS Lambda Function for API : lambda-1, lambda-2
In this senario, I want user-1 to access only to lambda-1 and user-2 to lambda-2
please give me the solution to achieve it.
regards,
If you want fine-grained control, you're better of using a lambda authorizer. This would still allow you to do authentication using Cognito.
In your Lambda function, you can return an IAM policy based on the user that is authenticated and restrict the access to only the API paths that you want them to access. You can then simply put both lambdas behind different paths of your API.
I'm currently setting up AWS Amplify with my react app and adding an API so I can use GraphQL.
I'm currently at a choice to add authorization type and my two options are API key or Amazon cognito user pool.
It's my understanding that the second choice means if a user is signed in, they can interact with the API calls.
What does the first choice (API key) mean?
What is the difference?
API key is basically for unauthenticated workflows where the app doesn't need private access for different users. User Pools allows you to apply fine grained access controls. Take a look at the options with #auth in the GraphQL Transformer: https://aws-amplify.github.io/docs/cli/graphql#auth
API key is for public datas and Cognito user pools for private datas.
A good link :
https://aws.amazon.com/fr/blogs/mobile/graphql-security-appsync-amplify
I've currently implemented a cognito user pool for my app and used it on the api-gateway to secure my functions. Its all working well, but here's my problem. I have 2 lambda functions: CreateEmployee and DeleteEmployee. How can I set that only specific users has access to the DeleteEmployee function?
Add custom authorizer and in api getway add in authorizer.
Inside custom authorizer lambda add ur logic to allow denied access as per your requirements .
You can use user groups to assign different roles to different group of users. Create two roles one with delete access and one without. Now add users to groups as you require.
You can find the details of group based role access here: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/
I have created my Amazon Cognito user pool and added few users. Added custom attributes in Cognito to differentiate between normal user and admin user. Exposed a REST API (for only admin users) to get the profile information of the given user using API Gateway and Lambda Engine to access my RDS DB instance to get few fields for that user from my DB.
I want to access the Cognito user profile information with the given username/subId from Lambda Engine / API Gateway.
I know with the given ID Token in API Gateway we can access the user profile details. But as a admin user I need to access details of other users with the given username from API Gateway or Lambda.
Kindly share, if you know how to get the user profile information from Cognito.
You are not mentioning which technology you are using to execute your Lambda functions.
Depending on SDK you will get an context object containing lots of information or you can read out the environment variables.
E.g. for Java the Lambda function gets a context object.
You could retrieve the identity from that one using:
context.getIdentity()
Update:
For Python it basically works the same way.
There is a context object as well. You can access it using context.identity.