I have created my Amazon Cognito user pool and added few users. Added custom attributes in Cognito to differentiate between normal user and admin user. Exposed a REST API (for only admin users) to get the profile information of the given user using API Gateway and Lambda Engine to access my RDS DB instance to get few fields for that user from my DB.
I want to access the Cognito user profile information with the given username/subId from Lambda Engine / API Gateway.
I know with the given ID Token in API Gateway we can access the user profile details. But as a admin user I need to access details of other users with the given username from API Gateway or Lambda.
Kindly share, if you know how to get the user profile information from Cognito.
You are not mentioning which technology you are using to execute your Lambda functions.
Depending on SDK you will get an context object containing lots of information or you can read out the environment variables.
E.g. for Java the Lambda function gets a context object.
You could retrieve the identity from that one using:
context.getIdentity()
Update:
For Python it basically works the same way.
There is a context object as well. You can access it using context.identity.
Related
summery
I'm gonna implement AWS Lambda Authorizer by Cognito.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
But I'm not sure how to limit the access to api/lambda based on user.
For example,
Cognito user pool has two users: user-1, user-2
And there are two AWS Lambda Function for API : lambda-1, lambda-2
In this senario, I want user-1 to access only to lambda-1 and user-2 to lambda-2
please give me the solution to achieve it.
regards,
If you want fine-grained control, you're better of using a lambda authorizer. This would still allow you to do authentication using Cognito.
In your Lambda function, you can return an IAM policy based on the user that is authenticated and restrict the access to only the API paths that you want them to access. You can then simply put both lambdas behind different paths of your API.
I'm currently setting up AWS Amplify with my react app and adding an API so I can use GraphQL.
I'm currently at a choice to add authorization type and my two options are API key or Amazon cognito user pool.
It's my understanding that the second choice means if a user is signed in, they can interact with the API calls.
What does the first choice (API key) mean?
What is the difference?
API key is basically for unauthenticated workflows where the app doesn't need private access for different users. User Pools allows you to apply fine grained access controls. Take a look at the options with #auth in the GraphQL Transformer: https://aws-amplify.github.io/docs/cli/graphql#auth
API key is for public datas and Cognito user pools for private datas.
A good link :
https://aws.amazon.com/fr/blogs/mobile/graphql-security-appsync-amplify
I've currently implemented a cognito user pool for my app and used it on the api-gateway to secure my functions. Its all working well, but here's my problem. I have 2 lambda functions: CreateEmployee and DeleteEmployee. How can I set that only specific users has access to the DeleteEmployee function?
Add custom authorizer and in api getway add in authorizer.
Inside custom authorizer lambda add ur logic to allow denied access as per your requirements .
You can use user groups to assign different roles to different group of users. Create two roles one with delete access and one without. Now add users to groups as you require.
You can find the details of group based role access here: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/
I'm using the Alexa for Business (A4B) API successfully with an Access Key ID and Secret Access Key with the AlexaForBusinessFullAccess IAM policy. However, I'm interested in building an app that other A4B users can use without embedding their Key ID and Key into my app directly.
Is there any way to create an Alexa for Business app that is authorized using an OAuth flow, like a standard Alexa skill?
I'm specifically looking to sync contacts using various A4B contacts APIs including the following:
CreateContact
DeleteContact
Information on the API is here but I didn't see anything for OAuth here.
https://docs.aws.amazon.com/a4b/latest/APIReference/
https://docs.aws.amazon.com/sdk-for-go/api/
Some information on auth is here:
https://docs.aws.amazon.com/sdk-for-go/api/aws/session/
I'm using Go but appreciate any info.
Just heard from an Amazon rep that OAuth is not available for the Alexa for Business API due to several reasons. The API must be accessed using IAM credentials or delegate IAM permissions.
Currently, a way to do this is to build a configuration page where users can supply their Access Key ID and Secret Access Key in the app configuration from the IAM console with the requisite AlexaForBusinessFullAccess policy.
It may also be possible to have the app enabled using the A4B console and create an IAM role from "Settings" > "AVS permissions" where the user needs to input the "AVS device maker's AWS account ID" and "Amazon ID".
We are building a number of microservices using API Gateway+lambda+DynamoDB. We need to secure these APIs using Cognito which we are using for user management. We will have a user pool and two groups with a different IAM role attached to each group. The need is users in one group should not be able to access all services and so the users in other group.
Any suggestions, how we can implement this?
The issue is ID token generated by Cognito is not validated by API gateway to check what level of access user has. All it checks is if Cognito ID token is valid or not.
You can use API Gateway custom authorizers to validate policies attached to each group.
From AWS Documentation:
You can use groups in a user pool to control permission with Amazon API Gateway. The groups that a user is a member of are included in the ID token provided by a user pool when a user signs in. You can submit those ID tokens with requests to Amazon API Gateway, use a custom authorizer Lambda function to verify the token, and then inspect which groups a user belongs to.
Additional references to implement:
https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/
https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/