Using role-based access control

0

I want certain users in the Cognito user pool to have permissions to access the database. For this I created a group and assigned it a role to access the database. I created an identity pool by following the steps below: User access -> Authenticated user Authenticated identity sources: Amazon Cognito user pool Authenticated role -> Use an existing IAM Role :BasicAuthRole (created by me) Role settings -> Role selection : Choose role with preferred_role claim in tokens ->Role resolution: Use default authenticated role The group has a BetaWhiteListReadAccess role. I followed this tutorial https://arpadt.com/articles/cognito-groups-iam-roles to get the credentials to access the database. This tutorial explains how to get AWS credentials by calling the GetCredentialsForIdentity starting from the ID token obtained after authentication using the user pool. In the local credentials file in the .aws folder I added a new profile with aws_access_key_id, aws_secret_access_key, aws_session_token obtained from the GetCredentialsForIdentity call. I also added the profile to the config file.

When I run the aws sts command get-caller-identity --profile user the Arn property has the default role in the identity pool not the group role. The token I used was for a user in that group and I checked to have cognito:preferred_role claim. I tried to run the aws dynamodb describe-table --table-name carmentesting --profile user command but I got the error: An error occurred (AccessDeniedException) when calling the DescribeTable operation: User: *******assumed-role/BasicAuthRole/CognitoIdentityCredentials is not authorized to perform: dynamodb:DescribeTable on resource: ****table/carmentesting because no identity-based policy allows the dynamodb:DescribeTable action . I have checked the trust policy and permission policy for the BetaWhiteListReadAccess role and they are correct. I changed BasicAuthRole to BetaWhiteListReadAccess and it worked to access the database. But I want only users in the group I created to have the BetaWhiteListReadAccess role, the rest of the users I want to have the BasicAuthRole role.

I was expecting the identity provider to assign the role in the cognito:preferred_role claim to the user, but that doesn't happen. Could someone please help me?

1 Answer
6
Accepted Answer

Role Assignment via Cognito Groups:

You have created a Cognito user group (BetaWhiteListReadAccess) and associated it with an IAM role (BetaWhiteListReadAccess) that grants permissions to access DynamoDB.

**Identity Pool and Role Resolution: ** You've configured an identity pool to use an existing IAM role (BasicAuthRole) for authenticated users from the Cognito user pool.

You expect users from the Cognito group (BetaWhiteListReadAccess) to assume the BetaWhiteListReadAccess role when accessing AWS resources.

STS GetCredentialsForIdentity Issue:

After obtaining credentials using GetCredentialsForIdentity and configuring AWS CLI profiles, you're seeing that the assumed role (BasicAuthRole) from the identity pool is used instead of the expected group role (BetaWhiteListReadAccess).

Access Denied Error:

When attempting to access DynamoDB using the assumed role (BasicAuthRole), you're encountering an AccessDeniedException because the role does not have permissions for DynamoDB operations.

Resolution Steps To resolve these issues and ensure that users from your Cognito group (BetaWhiteListReadAccess) correctly assume the BetaWhiteListReadAccess IAM role, follow these steps:

Identity Pool Configuration:

Make sure your identity pool is configured to allow users from the Cognito user pool to assume roles based on the preferred_role claim. Ensure the following settings are correctly configured:

Authenticated role: Use an existing IAM role (BasicAuthRole or another role that allows users to assume roles). Role resolution: Choose role with preferred_role claim in tokens.

Cognito User Pool Group Configuration:

Ensure that users who should have access to BetaWhiteListReadAccess role are correctly assigned to the BetaWhiteListReadAccess group within the Cognito user pool.

Verify Cognito Claims:

Verify that when users authenticate, the ID token they receive includes the cognito:preferred_role claim with the value arn:aws:iam::<your-account-id>:role/BetaWhiteListReadAccess.

STS GetCredentialsForIdentity and AWS CLI Profiles:

Ensure that when using GetCredentialsForIdentity, you correctly handle the credentials received and set up AWS CLI profiles (aws_access_key_id, aws_secret_access_key, aws_session_token).

Testing Access:

After configuring the above settings, test access to DynamoDB using the AWS CLI with the correct profile (--profile user) that reflects the BetaWhiteListReadAccess role credentials.

IAM Role Policies:

Review and ensure that the IAM role (BetaWhiteListReadAccess) has the necessary permissions (dynamodb:DescribeTable) attached via an IAM policy. This policy should allow actions on DynamoDB resources as needed.

Troubleshooting Tips

IAM Policy Evaluation: Double-check the IAM policies attached to BetaWhiteListReadAccess role to ensure they include the necessary permissions for DynamoDB (dynamodb:DescribeTable).

Cognito Claims: Verify that the preferred_role claim is correctly populated in the ID token for users in the BetaWhiteListReadAccess group.

AWS CLI Profile: Ensure that the AWS CLI profile (--profile user) used in your commands is correctly configured with the credentials obtained from GetCredentialsForIdentity.

EXPERT
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions