Cognito User Pool Groups and retrieving IAM from Lambda

A customer is building a serverless solution. Clients would make an api call, trigger custom authorizer/lambda using request parameter, and authenticate the user in the user pool. However, to generate a policy doc, they don't want to grant a blanket 'Allow' to the request. They want to apply IAM policies to user groups in cognito, and pass that to lambda authorizer. Has anyone encountered this? How to retrieve the Iam role/policy attached to the group in cognito user pools?

주제

서버리스 컴퓨팅 보안, 신원 및 규정 준수 프론트엔드 웹 및 모바일 네트워킹 및 콘텐츠 전송

태그

AWS Lambda AWS 자격 증명 및 액세스 관리 아마존 API 게이트웨이 아마존 Cognito

언어

English

rabinon

질문됨 6년 전481회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

이 답변이 도움이 되었나요?커뮤니티가 여러분의 지식을 활용할 수 있도록 정답을 찬성하세요.

수락된 답변

It seems like they're trying to fight the conventional pattern. Serverless or not, why would they not authenticate & authorize the user directly via Cognito first, and then use the Cognito JWT as authN/Z to the api call? Everything they are after (group based policies, access control on the api) is essentially trivial if they do the identity bits first.

전문가

Quint Van Deman

답변함 6년 전

Cognito User Pool Groups and retrieving IAM from Lambda

관련 콘텐츠