Tjen's blog

AWS & Typescript Masterclass - 8. AWS Cognito Identity pools

code dev.aws course.cdk dev.aws-cdk dev.aws-cognito

September 14th, 2022

54-61

(54) Section intro

AWS Cognito - user pool vs identity pool

(55) AWS Cognito Identity pools in the console

Authenticated role selection

A) use default role

authenticated
unauthenticated

B) choose role with rules

C) choose role from token (-> this app)

user -> group -> role

(56) Getting AWS temporary credentials

// skipped

(57-59) Identity pools in CDK

link to userPoolGroup via roleArn

new CfnUserPoolGroup(this.scope, 'admins', {
groupName: 'admins',
userPoolId: this.userPool.userPoolId,
roleArn: this.identityPoolWrapper.adminRole.roleArn,
})

// initialize identityPool
this.identityPool = new CfnIdentityPool(this.scope, 'SpaceFinderIdentityPool', {
allowUnauthenticatedIdentities: true,
cognitoIdentityProviders: [{
clientId: this.userPoolClient.userPoolClientId,
providerName: this.userPool.userPoolProviderName,
}]
});
new CfnOutput(this.scope, 'IdentityPoolId', {
value: this.identityPool.ref
})

// initialize roles
this.authenticatedRole = this.createRole('CognitoDefaultAuthenticatedRole', true)
this.unauthenticatedRole = this.createRole('CognitoDefaultUnauthenticatedRole', false)
this.adminRole = this.createRole('CognitoAdminRole', true)
this.adminRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ['s3:ListAllMyBuckets'],
resources: ['*']
}))

private createRole(id: string, authenticated: boolean) {
return new Role(this.scope, id, {
assumedBy: new FederatedPrincipal('cognito-identity.amazonaws.com', {
StringEquals: {
'cognito-identity.amazonaws.com:aud': this.identityPool.ref
},
'ForAnyValue:StringLike': {
'cognito-identity.amazonaws.com:amr': authenticated ? 'authenticated' : 'unauthenticated'
},
},
'sts:AssumeRoleWithWebIdentity'
)
});
}

// attach roles
new CfnIdentityPoolRoleAttachment(this.scope, 'RolesAttachment', {
identityPoolId: this.identityPool.ref,
roles: {
'authenticated': this.authenticatedRole.roleArn,
'unauthenticated': this.unauthenticatedRole.roleArn,
},
roleMappings: {
adminsMapping: {
type: 'Token',
ambiguousRoleResolution: 'AuthenticatedRole',
identityProvider: `${this.userPool.userPoolProviderName}:${this.userPoolClient.userPoolClientId}`
}
}
})

(60) testing whether it works

command line to add / remove user from group

op run -- bash -c 'aws cognito-idp admin-remove-user-from-group --user-pool-id ${USER_POOL_ID} --username ${TEST_USER_NAME} --group-name admins'

op run -- bash -c 'aws cognito-idp admin-add-user-to-group --user-pool-id ${USER_POOL_ID} --username ${TEST_USER_NAME} --group-name admins'

(61) Further reading

Fine-grained Access Control with Amazon Cognito Identity Pools - YouTube

AWS re:Invent 2018: Deconstructing SaaS: Building Multi-Tenant Solutions on AWS (ARC418-R1) - YouTube

AWS re:Invent 2017: [REPEAT] Serverless Authentication and Authorization: Identity M (SRV403-R) - YouTube

This post was referenced in: