2

I am looking into using AWS-Cognito as a means to manage and authenticate users. I do not want to use aws api-gateway or any of their other services really. It seems though you can only create roles or policies if they are related to some other aws service. I'd like to have these custom roles or policies on the user's id token returned from Cognito. Is it possible to create these custom roles or policies or am I restricted to only roles and policies related to amazon services? I have found tried the Create your own policy, but it throws an error if it doesn't match a specific action or resource known to aws services. Thanks.

Trevor
  • 321
  • 2
  • 7
  • 21

1 Answers1

1

You can use Cognito User Pools to authenticate your users. Then you can call STS to issue temporary credentials based upon your own rules (policies). Look into examples using assumeRole().

If you want an integrated / managed service then use Cognito Federated Identities for authorization and Cognito Users Pools or Google, etc. for authentication.

Sort of confusing, but think of Cognito User Pools (or Facebook, etc.) as the Identity Provider and Cognito Federated Users as the Permissions broker.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • 1
    Thank you for your response. So I could create my own rules (policies) such as createToDoItem, deleteToDoItem, etc and use assumeRole to give those roles on the auth jwt? My problem is I can't seem to find a way to create those custom policies, it seems to require those policies to be linked to some aws servic, unless you are using api-gateway and dynamodb then it seems it creates policies for you. – Trevor Sep 21 '17 at 17:47
  • 1
    Please provide more details. What is createToDoItem? AWS Policies and Roles are related to AWS Services. If you are trying to create non-AWS policies or roles, then you would manage those yourself, for example in a DynamoDB table. Authenticate the user in Cognito. Then issue temporary credentials based upon the permissions that you decide upon. The temporary credentials that STS provides you are for accessing AWS services. If you do not need to provide AWS access to users, then use the JWT Token as your identity ID that you pass around between you and the user. – John Hanley Sep 21 '17 at 18:29
  • 1
    Yes createToDoItem would be a none-aws policy or role. That a microservice behind a non-aws api-gateway would be sent through on a JWT so that the microservice can authorize a user for individual endpoints. For example POST /toDoItem, requires the user to have createToDoItem role on their jwt to successfully complete the request hitting a none-aws db, postgres in this case. Really I just like the the easy of using cognito as an id provider, I would prefer not to use any other aws-services but Amazon seems to make that difficult. – Trevor Sep 22 '17 at 14:25
  • Yes, use Cognito for your authentication and then your own custom service for authorization. – John Hanley Sep 22 '17 at 20:30