3

I am creating an angular app, in which I want to add authentication via AWS Cognito (I am pretty new to AWS). I successfully added functionality for sign-up, sign-in, sign-out, mfa and more. In addition I want to create something like admin panel, where admins can change general users` attributes. But I am not sure how to implement these admin things. How should admins sign-in? How should admins sign-up? Is there a dedicated user pool for them? And then how to manage (change attributes of) the general users as an admin?

I have gone trough the AWS Documentation, but it is not clear enough. I see that there is some kind of actions prefixed with Admin like AdminUpdateUserAttributes but I am not really sure how to use them.

Edit: I have tried something like this:

const AWS = require('aws-sdk');
let cognitoIdentityServiceProvider = new AWS.CognitoIdentityServiceProvider({apiVersion: '2016-04-18'});

let params = {
    UserAttributes: [{
        Name: 'custom:state',
        Value: this.newValue
    }],
    UserPoolId: 'us-east-1_example',
    Username: this.username
};
cognitoIdentityServiceProvider.adminUpdateUserAttributes(params, function(err, data) {
    // do something with result
    err && console.error(err);
    data && console.log(data);
});

But I am getting the following error: CredentialsError: Missing credentials in config

How should I set these credentials?

radoslav-d
  • 31
  • 2
  • 6

1 Answers1

0

In order to have admin permissions, you need to provide accessKeyId and secretAccessKey or idToken. One way to do this, is to get these keys from the AWS Management console. They can be extracted from an IAM role, which has the permissions to modify the desired User Pool. Then you can do:

AWS.config.update({accessKeyId: '...', secretAccessKey: '...'});

What I have personally done in my app is to create another user pool for admins. Then I added this user pool as Identity Provider to an Identity Pool. Then I edited the Authorized IAM role to be able to edit the user pool with the general users.

The following worked for me:

const userPool = new CognitoUserPool({
  UserPoolId: this.adminUserPoolId,
  ClientId: this.adminClientId
});

const authenticationDetails = new AuthenticationDetails({
  Username: username,
  Password: password
});
const cognitoUser = new CognitoUser({
  Username: username,
  Pool: userPool
});
cognitoUser.authenticateUser(authenticationDetails, ....);

const jwt = cognitoUser.getSignInSession().getIdToken().getJwtToken();
const provider = `cognito-idp.${this.region}.amazonaws.com/${this.adminUserPoolId}`;

AWS.config.update({
  credentials: new CognitoIdentityCredentials({
    IdentityPoolId: this.identityPoolId,
    Logins: {
      [provider]: jwt // when you provide the jwt, accessKeyId and secretAccessKey are extracted
    }
 })
});

const identityService = new CognitoIdentityServiceProvider();
identityService.adminUpdateUserAttributes(...);
radoslav-d
  • 31
  • 2
  • 6