0

I am developing a single page application with a REST backend that uses AWS Cognito for user management and authentication.

I have structured it such that when the user enters the page without a token, the following series of steps occur:

  1. Redirect to Cognito's default login page
  2. The user logs in and is redirected to host/authenticate.html
  3. An AJAX call is sent to Cognito's token endpoint, which returns the user's tokens. These are stored in sessionStorage
  4. The user is redirected to the web application and is now authenticated

I want to have two user roles in my application: Users and Admins. Users should not be allowed to call any AWS services, where as Admins should be allowed to create/invite and promote other users to admins on behalf of his company.

Currently I have set up an Identity Pool for the User Pool and web application, that enables the admin permissions. I authenticate with the Identity pool using the following code:

AWS.config.region = "eu-central-1";
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'eu-central-1:<my-indentitypool-id>',
    Logins: {
        'cognito-idp.eu-central-1.amazonaws.com/<my-userpool-id>':
            sessionStorage.getItem('id_token')
    }
});

AWS.config.credentials.get(function(err){
    if (err) {
        console.error(err);
    }
    console.log("Authenticated");
    cisp = new AWS.CognitoIdentityServiceProvider();

});

And when the admin wants to create a user:

cisp.adminCreateUser(params, function(err, data) {
    if (err) 
        console.log(err, err.stack);
    else
        console.log(data);
});

However, from my understanding of it this would allow all users of the web application to have Admin privileges, as the IAM role is associated with the Identity Pool and not the users per se.

Are there any simple way of achieving this?

Please feel free to ask questions in case anything is unclear and thanks in advance for your help.

Improve this question
4
  • Custom attributes and RBAC. You can create a rule that assigns a specific IAM role for users with a custom:admin attribute value of true (docs.aws.amazon.com/cognito/latest/developerguide/…). Commented Jun 28, 2018 at 15:35
  • Thank you for your reply. I have now added custom:admin as you suggested, but I'm left with two questions: 1. How do I assign values to the custom attribute from the web-interface? 2. Where do I add the condition? Is it in the IAM policy or the IAM role? Commented Jun 29, 2018 at 8:03
  • Related: stackoverflow.com/questions/40845937/… and docs.aws.amazon.com/cognitoidentity/latest/APIReference/… Commented Jun 29, 2018 at 15:33
  • I've tried to read through the resources you posted, but sadly without any luck. I've managed to set up an authentication system that gives my users the User role when they log into my site, but I still don't understand how to upgrade users that have custom:role=admin to have admin privileges. So far I've tried to add a trust policy to the user roles with the condition stated just above and use STS to assume admin roles. Care to explain a bit more? Commented Jul 4, 2018 at 12:58

1 Answer 1

Reset to default
0

I managed to find the solution in the end. In case anyone experiences the same issues as me you can go to the dashboard for your Cognito Identity Pool and edit it.

There is a section called Authentication providers, where you can specify conditions for claims and give roles based on that. On the same page you can also edit which role is given to users who are not authenticated and default roles to users who are authenticated, but do not satisfy any of the conditions you specify.

In my case I gave all authenticated users the role of User and created the condition shown in the picture below, which grants all users that have a value of "admin" in "custom:role" the role of Admin.

Identity Pool control panel

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It may be also necessary to grant authenticated users the permission to assume a different role, as described in this document under the section "Granting Pass Role Permission"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.