Unanswered Questions tagged with AWS Identity and Access Management

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

0
answers
0
votes
23
views
asked 11 days ago

How to know if a specific user is verified using the amazon-cognito-identity-js module if the type of the verification message is a link?

I'm building a mobile app with React Native that manages user registration and authentication with AWS Cognito. In order to integrate Cognito with my project I use amazon-cognito-identity-js. In order to verify the email of the recently added user I send a verification link (not verification code) that verifies the user if he clicks on it. After the user clicks the link, the confirmation status of the user changes from Unconfirmed to Confirmed inside the AWS Cognito console, and that's great, but I need to know from the JavaScript code if the user is indeed verified. What i'm supposed to do? I already know that if I send a verification code and not a link there's no problem because inside the app the user inputs the verification code previously received and then I just have to call the `CognitoUser.confirmRegistration(code: string, ...)` method in order to allow the user to continue with the registration process inside my app. If I Use a verification link I can't use that method because it takes a code as an argument. Checking [the only ressource available for amazon-cognito-identity-js](https://www.npmjs.com/package/amazon-cognito-identity-js) I found that there's not an attribute or method that let's you know if an specific user is verified or not, and if I'm not able to know if the user is verified or not I can't let him go to the following screens of the app. Thanks guys and I hope that there's a solution for this problem.
0
answers
0
votes
19
views
asked a month ago

IAM abac tag problems: User is not authorized to perform: execute-api:Invoke on resource

I'm trying to call an api-gateway endpoint from my web app but getting the error: ``` User: arn:aws:sts::<number>:assumed-role/my_identity_pool_auth_role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-west-2:********9277:<api-gateway id>/test/GET/theme ``` I have a user pool set up in which I've created two groups, one of which I'd like to give access to execute the endpoint mentioned above. The user pool group has an iam role attached with no permissions, but the following trust relationships: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "<identity pool id>" } } } ] } ``` and a tag with: ``` key: user_role value: end_user_basic ``` The identity pool auth role has permissions and trust relationship below: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cognito-identity:*", "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:eu-west-2:*:<api-gateway id>/*/GET/theme", "Condition": { "StringEquals": { "aws:PrincipalTag/user_role": "end_user_basic" } } } ] } ``` ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "<identity pool id>" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ``` In the identity pool settings, I have 'authenticated role selection' set to 'user default role' and 'attributes for access control' set to 'use custom mappings' with the below: ``` Tag key for principal: user_role Attribute name: user_role ``` And when I make the request, my id token has a payload something like below: ``` { "sub": ..., "cognito:groups": [ "<the correct cognito user group>" ], "iss": ..., "cognito:username": ..., "origin_jti": ..., "cognito:roles": [ "<the correct iam role with tag attached>" ], "aud": ..., "event_id": ..., "token_use": "id", "auth_time": ..., "exp": ..., "iat": ..., "jti": ..., "email": ... } ``` so the user belongs to the correct group with the correct iam role applied. I'm new to AWS so I'm sure i'm missing something daft but if somebody could point me in the right direction I'd be grateful. As an aside, if I remove the condition below: ``` "Condition": { "StringEquals": { "aws:PrincipalTag/user_role": "end_user_basic" } } ``` from the identity pool auth role, I can make the api call successfully
0
answers
0
votes
44
views
steve
asked 2 months ago