3

We want to realize a multi tenant application where we want to utilize:

  • AWS Cognito as our user pool
  • AWS DynamoDB for most of our data

As we are following a pooled approach, our DynamoDB data would have the tenantID as a primary key. Also all users are pooled in one cognito user pool.

Our application also needs to display our users within the application, therefore I need to query the users.

I would like to directly query the AWS Cognito pool and display the all users of a tenant. Therefore I would add an attribute to the cognito users custom:tenantID.

But there is a problem: Custom attributes are not searchable / filterable, so I cannot do a query based on the tenantID what I would have done with all other data tables.

I thought about "misusing" one of the searchable data fields like family name for the tenant, but that seems to be a bad idea.

I would like to avoid creating a dynamoDB table for the only purpose of linking a user to a tenant. What are the approaches to solving this?

pfried
  • 5,000
  • 2
  • 38
  • 71

1 Answers1

3

When using AWS Cognito for a multi-tenant application, use Cognito only for the authentication.

You can create a user table with access control list(authorization) for each tenant stored in a DynamoDB table which you can also use to search for users & etc.

If you use a custom attribute called tenant or store tenant identifier in Cognito, in additional to the limitation of search, you will also limit a user to a single tenant.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • can you recommend an attribute to use as an ID for the user then? email address ? Cognito ID? Do you know any real world examples for a solution like you suggested? – pfried Oct 08 '17 at 16:47
  • 2
    If you are planning to use Cognito Identity Pool, then use CognitoID (Here Cognito Identity. With Cognito Userpools, you can use the Email address (If email is mandatory for user identity both for local and federated). Couldn't find a whitepaper directly addressing the concern, but overall for multi-tenant applications refer the following two White Papers. https://d0.awsstatic.com/whitepapers/Multi_Tenant_SaaS_Storage_Strategies.pdf https://d0.awsstatic.com/whitepapers/saas-solutions-on-aws-final.pdf – Ashan Oct 08 '17 at 17:38
  • don't use the email address or the cognito id, generate a new uuid and store it as a custom attribute. if you use the cognito sub you'll have a lot of pain later on since you can't control the value there. i.e. move to another userpool email the same, what if the user wants to change their email? generate a new uuid value that you have control over – danv Jun 27 '23 at 13:16