Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to model Multi-project multi-role in verified permission ?

0

I have multiple projects and at each project I have multiple roles. How to handle this in verified permission and Cognito ?
Thanks.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
Amazon CognitoAmazon Verified PermissionsIAM Policies
Language
English
asked 2 years ago624 views
3 Answers
0
Accepted Answer

Hello,

A common approach that involves using Verified Permissions and Amazon Cognito, would be to make use of an API-linked policy store in Verified permissions[1]. Using an API-linked policy store in Verified permissions, involves the use of the following components[2]:

  • A Cognito Userpool or an external OIDC Identity provider, that will authenticate users and will allow these users to be placed into groups.
  • An API Gateway REST API, which is used to define actions from API paths and API methods. Here you would need to use an existing API in API Gateway.
  • A Lambda function that is used as a Lambda authorizer for the API in API Gateway. This Lambda Authorizer is used to authorize request to access APIs behind the API gateway.
  • A Verified permissions policy store, where the identity source for the policy store would either be your Cognito Userpool or an external OIDC Identity Provider.

As users would commonly be placed into User groups within the Userpool, you would initially authorize requests to your API/resources, based on the user's group membership, however, using an API-linked policy store would also allow you to implement attribute-based access control (ABAC)[3], where you Verified Permissions would grant access to users, based on OAuth 2.0 Scopes and user attributes.

For example, in the use-case where you have multple roles for a project, you would create a custom user attribute[4] with the name "roles" in your Cognito Userpool, where the custom user attribute will be presented in the ID token as "custom:roles", then Verified Permissions can grant access for the roles, based on "custom:roles" claim values presented in the ID token that the Cognito Userpool generates when the user successfully signs in.

References:

[1] Create a policy store with a connected API and identity provider - https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/getting-started-api-policy-store.html

[2] API-linked policy stores - https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/policy-stores_api-userpool.html

[3] API-linked policy stores - Adding attribute-based access control (ABAC) - https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/policy-stores_api-userpool.html#policy-stores_api-userpool_abac

[4] User pool attributes - Custom attributes - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes

I sincerely hope the above helps.

AWS
SUPPORT ENGINEER
answered 2 years ago
0

Thanks much for your answer. For "role" custom attribute runs for this scenario. How to keep multiple projects ? In my case users typically have different roles at different projects at the same time. Again, can I pass multiple roles to custom attribute so that Identity token recognizes directly these roles and can I pass identity token to IsAuthorizedwithToken() service ? Typically I can pass one role value, how to solve this problem ? Sincerely.

answered 2 years ago
0

In my case a user may have roles like ProjectA:Rol1, ProjectA:Role2, ProjectB:Role3

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content