0

I'm trying to set up a protected route on my webapp. For this, I've create a Group, Admins, in my User Pool. I've assigned this group to the WebappAdmins role, which contains custom policies:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": "webapp:*",
        "Resource": "*"
    }]
}

How can I--from the webapp--discern whether the logged in CognitoUser has the webapp:ViewUploadDocumentsPage permission? Since all CognitoUsers that are a part of the Admins group have webapp:* permissions, then they should have webapp:ViewUploadDocumentsPage permission, if I'm not mistaken. I understand that verifying their permissions on the webapp is insecure, and it doesn't matter anyway, since I plan on adding specific lambda permissions to the WebappAdmins role to prevent any actual harm done by other users.

I'm expecting some sort of endpoint that I can make an authenticated post request to on behalf of the CognitoUser, and passing in webapp:ViewUploadDocumentsPage into the body. I haven't found anything alluding to that in my extensive research, so I assume I'm wrong.

Could I create an API Gateway with an Authorizer that only accepts requests from CognitoUsers with the webapp:ViewUploadDocumentsPage permission? I'm truly unsure of how to go about this.

Kael Kirk
  • 324
  • 2
  • 9

1 Answers1

1

Rather than verifying what IAM permissions the user has wouldn't it be simpler just to check what groups the user is in? If the user is in the Admins group then you know they have the permission you are interested in. You can get the user's group membership any number of ways depending on what language you are using and where you want to do the check.

Brian Winant
  • 2,915
  • 15
  • 17
  • You're right, I'm now using the group to discern whether the user should be able to view the route. And for the backend, I'm using a lambda authorizer. My insistence on using custom policies came from a misunderstanding of how Cognito should be used. – Kael Kirk Jul 17 '20 at 13:30