Create a Cognito Identity Pool

Chapter Comments
21

From @mjbf0748 on Wed Apr 04 2018 19:39:55 GMT+0000 (UTC)

I have completed most of it. I want to fix this authentication issue before
I continue. If Amplify may help fix this error, I will go over the update.
What do you think?

On Wed, Apr 4, 2018 at 3:36 PM Jay V notifications@github.com wrote:

@mjbf0748 https://github.com/mjbf0748 It depends how far along you are.
If you are almost done, I’d say complete it and then go over the update.
Most of the structure is the same with Amplify. It just makes some parts
simpler.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/AnomalyInnovations/serverless-stack-com/issues/19#issuecomment-378719846,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AX2oR3cnzpTKPOtBIT28M2qR1KOT9Nhkks5tlSDTgaJpZM4M4OBA
.

22

From @jayair on Wed Apr 04 2018 21:27:50 GMT+0000 (UTC)

@mjbf0748 The Amplify update does authentication slightly differently. So it might be worth trying it.

23

From @19bharatvikram on Mon Apr 09 2018 10:48:38 GMT+0000 (UTC)

Hi Jay,

I have 2 users and as per our application design, they can see their notes only. But now, I want enable user1 to view/edit the notes of user2 but not delete them.

Is it possible to do that ? if yes How?

Thanks,
Bharat Chand

24

From @jayair on Mon Apr 09 2018 17:50:15 GMT+0000 (UTC)

@19bharatvikram There are lots of ways to do this. Currently, we get notes using a user id and note id pair. To allow users to access other user’s notes; you’d need to store your notes under a different index. Maybe just store it under note id. But you’ll need to separately track which user has access to which set of notes.

25

From @19bharatvikram on Mon Apr 09 2018 18:09:32 GMT+0000 (UTC)

Hi Jay,

Thanks for your quick response. I understand that I’ll need an index column say noteId for that. Just wanted to know more how can I make a track of which users has access to which set of notes. Any pseudo code or sample IAM role/policy or any reference link/doc will help.

Thanks again,
Bharat Chand

26

From @jayair on Mon Apr 09 2018 18:46:50 GMT+0000 (UTC)

@19bharatvikram Hmmm you could use an IAM role if your user groups are not dynamic. Say for example you had an admin group and regular users group that had different set of permissions. Then you could create roles for them. But if the relationships are dynamic then it might be trickier.

27

Hi,

I think the security model here is a but inconsistent and because of that if the app gets bigger it can become hard to make it really secure. why?

you use 2 roles:

  1. lambda execution role
  2. authenticated user role

suppose you want to list a bucket with users files in a lambda function. For that you need to update lambda execution role by adding permissions of listObjects to s3. But because there is no user context in lambda execution role, you need to give access to the whole bucket, and by that you are opening a door for other users to see all the pictures.

To fix it you should use the ‘Invoke with caller credentials’ option in the API Gateway, this way your lambda will be executed with the user’s role. (And of course duplication will be removed too)

1 Like
28

I don’t think the Invoke with caller credentials option works that way. You can find some threads on this with more detail - https://forums.aws.amazon.com/thread.jspa?threadID=261510.

This setting tells API Gateway to invoke the Lambda with the user’s role but it does not execute the Lambda with that role. You still need to supply the Lambda execution role.

We’ve tested this to confirm the behavior but maybe we are doing something wrong. If you have a working example where the Lambda executes with the user’s role as opposed to the Lambda execution role, I’d love to see it.

29

I was thrown off on setting: YOUR_API_GATEWAY_ID. Only after going through the debugging, did I realize that I’d put the string descriptor of the app and not the (never explicitly defined in the AWS console =P) gateway ID.

I see that you called out the general format of this above the policy, but I wonder if maybe underneath the policy you might call out in a table the configuration variables that need to be changed, and an example of the format of the variable.

30

Oh. Was this part not helpful?

19%20PM
Screen Shot 2018-11-05 at 5.18.19 PM.png1646×618 78.2 KB

31

Yeah, for whatever reason I just kinda read past that. I almost wonder if maybe it would have been better, at least for me, coming after the code block, or maybe as a table. I dunno, one guy’s feedback.

1 Like
32

I see. Thanks for the feedback!

33

Can we edit the policy after IdentityPool has been created ? I can’t see this option anywhere when editing IP…

EDIT: found it myself, to modify existing policy you need to go to IAM -> Roles -> Cognito_notesidentpoolAuth_Role and possibly add/modify entries there.

in my case I had to add api gateway deployed to a different region than original

1 Like
34

@anomalyinnovations I am building an web app following your tutorial. If my web app does not to have users, how should I setup the AWS Cognito Identity Pool?
Thanks a lot

35

Are your users uploading files to S3?

36

The user will not uploading any file into s3, the only action is to call API to update the database

37

In that case you completely skip the Identity pool and User Pool part. Just create a API endpoint with no authentication and use the fetch() calls in JS to make requests. This is exactly as if you were talking to any other public API.

39

Hi y’all I’m getting the message below after entering the custom policy.

This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining Learn more

My policy is as below. I had to change the action scope of s3 from

s3:*

to

["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject"]

This suggests that there’s an s3 action that does not support arn resources? How did others get past this point?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*",
                "cognito-identity:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject"],
            "Resource": [
                "arn:aws:s3:::kiwi-notes-app-uploads/private/${cognito-identity.amazonws.com:sub}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:execute-api:us-east-1:*:xxxxx/*"
            ]
        }
    ]
}
40

Hmm are you doing this to tighten up the permissions that are being granted?

41

I got this same notification and just left it as is. I did get through the test on the next step with no issues. We will see if there is a later permission failure on S3 or not. Probably going to be OK.