We are hiring – MERN Developers, DevOps

Visit us
 
Let’s Connect
AWS

AWS Cognito Role Based Access Control (RBAC)

June 21, 2022by texpleadmin

Tired of searching Cognito Role Based Access Control (RBAC) steps??

Frustrated with how little or confusing information about Cognito RBAC on the internet??

Don’t worry. We are here for you. We will help stop you’re endless google search for RBAC access and guide you to the simple and easy-to-understand solution for this problem.

Before we start, I would suggest you know the basics about Cognito and IAM.

  • We have a Cognito created and also created some users in them.
  • Right now, don’t rush to create a group right away. There are a few things that need to iron out then we can move to groups.
  • You will need to decide how many groups you will create and what access you will give them with IAM roles.

Let’s take an example to make things clear 

We will create 3 groups in Cognito

  • Admin
  • Technician
  • User

Starting from the bottom, the user will have access to put objects in S3.

Technicians will have access to create S3 and put objects in S3.

Admin will have all the access mentioned above and can also delete the S3 bucket.

We are taking this example so that everyone can understand this and be able to implement it.

Now that we have finalized access. Let’s move to create IAM Roles.

We will create a policy for users, technicians, and admin.

Users Policy

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Stmt1655552313680",

"Action": [

"s3:PutObject"

],

"Effect": "Allow",

"Resource": "your_cognito_pool-arn"

}

]

}

 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1655552313680",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "your_cognito_pool-arn"
    }
  ]
}

Technician Group Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1655552313680",
      "Action": [
        "s3:PutObject",
        "CreateBucket"
      ],
      "Effect": "Allow",
      "Resource": "your_cognito_pool-arn"
    }
  ]
}

Admin Group Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1655552313680",
      "Action": [
        "s3:PutObject",
        "CreateBucket",
        "DeleteBucket"
      ],
      "Effect": "Allow",
      "Resource": "your_cognito_pool-arn"
    }
  ]
}

Done. We have created the policies then we will attach them to individual IAM roles. After attaching these policies to their role, you need to add this policy in trust relationships in IAM Role.

If you’re thinking where is the trust relationship in an IAM Role. I’m here to help you

Go to trust relationships –> edit trust policy –> paste the policy.

 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-corner-cafe-123456790ab"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

 

Note: You can also add different permissions as per your need. You can also add a policy to the admin role to edit or create the users in AWS Cognito.

Let’s get back to our Cognito.

  • Go to Users&Groups–>Click on Groups–> Create group–> Enter desired name ( We are going with admin, technician, and user) –> Select the IAM role we created (Choose the IAM role for its respective groups) –> Click on Create group.

    Voila!!! You have created a group. Now do the same for the rest of the groups.

  • After you’re done, go to the groups and add the users in the group.

    Now I hope you have created an identity pool for the Cognito userpool.
    If not, let’s create one.
    Let’s go to federated identities.

  • If you have not created an Identity pool, it will right away take you to the identity pool wizard.

    Here in authenticated providers, we will mention cognito userpool id and app client id in cognito userpool.

  • After this click on create. The identity pool will be created. Now go to identity pool and follow this GiF.

    Here in authenticated provider, we will select role from token

  • We need to select this so that the Cognito will use the access from the IAM role that is assigned to User groups and not from the Identity pool auth role.

    The service access mentioned in Cognito Group will only be used with this process.
    This is how you can implement RBAC in Cognito.

I hope that I have succeeded in explaining how to implement RBAC in Cognito. Follow these steps and get a better understanding of RBAC.

That’s all folks.

 

 

next
Magento on Azure: Automating Your E-commerce Platform with Azure DevOps

+91-9892-707-869

LG 118, Xth central Mall, Mahavir nagar, Kandivali(west) Mumbai 400067

info@texple.com

©2022 Texple. All rights reserved.

Texple Logo
+91-9892-707-869
142, Neo Corporate Plaza, Malad, Navy Colony, Kanchpada, Malad West, Mumbai, Maharashtra 400064
sales@texple.com
Our Services
Quick Links
Let’s Get In Touch

Are u looking for digital transformation? Or even a comprehensive solution? We are here to help.

Contact us

©2023 Texple. All rights reserved.

Visit us on social networks

Visit us on social networks