By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM policy with custom attributes from Cognito User Pool

0

I would like to create an IAM user (over the console) who can only see some specific users, under cognito user pool, with a specific custom attributes. For example, all the users from UK has a custom tag in Cognito user pool called:

custom:countryCode: UK

If i wrote the condition like this, is doesn't works:

        "Condition": {
            "StringEquals": {
                "aws:PrincipalTag/custom:countryCode": "UK"
Topics
Security, Identity, & Compliance
Tags
Amazon CognitoIAM PoliciesAmazon Cognito User Pools
Language
English
Davide Gariselli
asked a year ago914 views
1 Answer
0

Hi there! Interesting question, to my knowledge you can't use custom attributes from Cognito User Pool in IAM policy conditions for an IAM user. This is because IAM users cannot identify custom attributes from any Cognito User Pool. Custom attributes are only available within the Cognito User Pool service and are not passed to IAM as principal tags.

However, you can use an alternative approach to achieve a similar result. You can use Cognito Identity Pools and role-based access control (RBAC) to assign different IAM roles to different users based on their attributes. For example, you can create a role that allows listing and reading only the users with a specific country code attribute, and another role that denies these actions for other users. Then you can map these roles to your Cognito Identity Pool using rules or custom logic.

I tried breaking this down into some steps you can try to implement below:

  1. Create a Cognito Identity Pool and enable access to unauthenticated identities if you want to allow guest users.
  2. Create two IAM roles: one that allows listing and reading only the users with a specific country code attribute, and one that denies these actions for other users. You can use the AWS CLI or the API to create these roles and attach policies that use the aws:PrincipalTag condition key to match the attribute value.
  3. Create a role mapping rule or a custom role mapping logic in your Cognito Identity Pool that assigns the appropriate role to each user based on their country code attribute. You can use the aws:PrincipalTag condition key to match the attribute value in the IAM policy3.
  4. Configure your application to use the Cognito Identity Pool as the identity provider and obtain temporary credentials for your users using the GetCredentialsForIdentity API.
  5. Use the temporary credentials to perform any operation that requires listing and reading users from Cognito User Pool using the AWS CLI or the API. If you follow these steps, you should be able to use custom attributes from Cognito User Pool in role-based access control for an IAM user which can get around the problem you are having. Have a look at this docs for some more info:

https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html

Good luck! If this helps you, it would be much appreciated if you could accept my answer :)

AWS
rePost-User-1144959
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content