Reading custom claims for SaaS multitenant isolation

Hi, thanks for this resource!

I’ve gone through the basic tutorials and am now thinking of setting up a multi tenant SaaS, and I was wanting to use custom claims to provide tenant and role specific context. I watched videos on Serverless SaaS to get some idea of ways to structure it but am now getting a bit stuck on the nitty gritty.

I looked at Cognito user groups and RBAC but got scared, I’m new to this and it looks really tricky. I’d rather not get into the business of having my app code provision new groups, roles etc when a new tenant is onboarded, i.e. the AWS infra should be declared and deployed once for all tenants and then the tenant specific isolation would be done in my biz logic (maybe this is ill advised and I should try to use IAM for every layer?)

I’ve managed to wire up a pre token generation trigger, which adds my custom claims, but I can’t see them coming back in the api gateway events when inspected. In fact I can’t even see the jwt. Is it hiding there or am I misunderstanding something? For custom claims would I need to use JWT ApiAuthorizationType rather than AWS_IAM ? And if so could I still use Amplify and attachPermissions for buckets/tables etc?

Many thanks

Just adding to this, during investigation I think amplify may be the weakest link. I also saw that amplify stores the id token in localStorage, which isn’t safe. I see there is an open issue but the comments aren’t very encouraging https://github.com/aws-amplify/amplify-js/issues/3436 - has anyone got it working with something other than amplify? I’m looking into the lower-level amazon-cognito-identity-js - npm library which amplify uses under the hood.

Ah, I didn’t see Connect to API Gateway with IAM Auth | Serverless Stack earlier which outlines a lower level alternative to amplify, if anyone else is stuck with this.