AWS Roles
Managing roles with AWS can be pretty darn difficult. Thankfully, today I was not short on patience.
I spend all of July 4th’s morning trying to get a React application to use admin roles for a user to work with AWS services. Instead of using the admin roles it was assigned on AWS Cognito, the token was using the temporary roles created for authenticated users.
To be completely honest, I never got it to work. The group was not able to be assigned from Cognito so the user could use roles attached to them. I tried modifying the role’s trusted relationships to add Cognito, but that did not work either. However, from the ashes of my despair rose another confusing idea — Federated Identities.
We can set up the federated identity to look at our user’s attributes. By creating a custom attribute called “role”, we can assign a role to the user from FI if the user’s attribute matches a key word, say, admin.
This allows us to, based on a custom attribute, give role access control to users. This is even better than the original idea because I know how to edit user attributes form the API fairly easily. Also, keep in mind when doing this that you’re going to want to set custom read/write permissions for user attributes in Cognito, or else anyone could say they’re an admin.
Lets get this done:
1 Go to your federated identity (Cognito > “Manage Identity Pools”)
2 Select your identity pool, then select “Edit identity pool” on the top left. Copy your “Identity pool ID”, then head to IAM.
3 Create a role. On the first step, select “Web Identity”, in the identity provider, select Amazon Cognito:
4 Now paste the “Identity pool ID” you previously copied in the new input field:
5 Great! Now go back to your federated identity from step one, click again on “Edit identity pool”, and open the “Authentication Providers” drawer.
6 On the authenticated role section, select choose role with rules. Assuming you already made a custom attribute in your user pool, add that information in. For example, I created a role custom attribute, so it will be referenced as custom:role, and only those that have that set to admin will have this role, so value is "Equals" and "Admin" is what it will look for (I set it to Admin instead of admin, doesn't really matter). Then on the right dropdown choose the role you just created on steps 2 & 3.
7 I believe this is all folks! Now when you log in with a user that has that attribute as you specified, they will use that role! Again, for this you must have already set custom user attributes, have created a user pool, and it helps to know how to navigate AWS a little.
Context
This is something I explored while working on website for carpenters union 197. It is using AWS Amplify with react and redux to do all the nifty stuff. Notice we had to touch nothing of this code to get roles to work, I’m basically using just AWS amplify’s stuff off the box. To take a look at the Local 197 code for examples, you can check out the repo.
Resources
For information on AWS group access control: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/
For more information on AWS Amplify (I find looking at their repo & packages more useful): https://github.com/aws/aws-amplify/issues/337