I'm currently testing if AWS Cognito can be used for our use-case. The plan is to use AWS Cognito user pools feature to provide user-authentication for a web application. However, we want some of our customers to be able to administrate their own user pools, so they can add and remove their own users themselves. I am trying the following:
- Create a seperate user-pool for the customer
- Add a new console user in IAM with a policy that allows to access and administer only that user pool, which the customer can use for administration
I am using the following IAM policy in testing:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminGetDevice", "cognito-idp:AdminCreateUser", "cognito-idp:ListIdentityProviders", "cognito-idp:GetIdentityProviderByIdentifier", "cognito-idp:GetUICustomization", "cognito-idp:AdminGetUser", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUsersInGroup", "cognito-idp:DescribeUserPool", "cognito-idp:AdminEnableUser", "cognito-idp:AdminListUserAuthEvents", "cognito-idp:ListGroups", "cognito-idp:ListResourceServers", "cognito-idp:AdminListDevices", "cognito-idp:DescribeIdentityProvider", "cognito-idp:DescribeResourceServer", "cognito-idp:GetWebACLForResource", "cognito-idp:AdminDisableUser", "cognito-idp:DescribeUserImportJob", "cognito-idp:DescribeUserPoolClient", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDeleteUserAttributes", "cognito-idp:GetSigningCertificate", "cognito-idp:GetCSVHeader", "cognito-idp:ListTagsForResource", "cognito-idp:GetUserPoolMfaConfig", "cognito-idp:GetGroup", "cognito-idp:DescribeRiskConfiguration", "cognito-idp:AdminUpdateUserAttributes", "cognito-idp:AdminListGroupsForUser", "cognito-idp:ListUserImportJobs", "cognito-idp:ListUsers"
],
"Resource": "arn:aws:cognito-idp:eu-west-1:XXXXXXXXXX:userpool/USER_POOL_ID"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "cognito-idp:ListUserPools",
"Resource": "*"
}
]
}
Using this policy, I can login with the console user, and go to the link of the user pool (e.g. https://eu-west-1.console.aws.amazon.com/cognito/v2/idp/user-pools/USER_POOL_ID/users?region=eu-west-1) and do administration tasks (e.g. create users).
The problem is however that I need to set 'cognito-idp:ListUserPools' for this to work. Even if I directly go to the specific URL of the user pool, I still need this privilege, because otherwise Cognito will redirect to the 'Getting Started' Page. However, I don't want our customes to be able to see a list of all our user pools.
My Questions:
- Is what I'm trying to do even a good idea, or is AWS Cognito simply not designed for 'delegated administration' (as Auth0 calls it)?
- Is there a way to authorize administration of a single user pool, without the 'ListUserPools' action?
One solution that I could think of would be to create a seperate AWS root account for each customer's user pool, but this requires a lot of double configuration. Any other suggestions are welcome.
AWS OFFICIALUpdated 5 months ago
Thanks for your quick response! What do you mean by exactly by 'name your user pool with Business id'? What I'm trying to prevent is that the customer can list the names/ids of all user pools in my organization, and only show their own. If I remove the 'cognito-idp:ListUserPools' part however they also won't be able to load the AWS console page of their own user pool.