Unanswered Questions tagged with AWS Identity and Access Management

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Simple Amplify Storage Requests Which Require Authentication

Hello, I am new to AWS, and I am using Amplify to build my application (React + Node). I am trying to make a very simple storage interface for user documents, and I don't want these documents to be accessible by those who do not sign in through the Cognito user pool. However, I do want these documents to be accessible to all users who have signed in through my application. I followed all of the directions specified in [the official documentation page regarding setup](https://docs.amplify.aws/lib/storage/getting-started/q/platform/js/#storage-with-amplify), and didn't configure any special options. I then went into the web interface for my S3 bucket, found the newly created storage bucket, and added a folder called "templates" with a couple sub folders, and then some user document templates. The problems started to occur upon calling the `Storage.list(...)` function within my application. The promise would resolve successfully, but the list would be empty. I understand now that's because my application was attempting to index the S3 bucket through a `public` scope prefix. When I create a folder named public, and add the files in there, everything works nicely. I was under the opinion though that using this public folder would allow my privileged content to be indexed to users who were not credentialed (i.e. guests from outside my application who didn't pass through the Cognito login portal). Is that the case? There are no groups configured from within my Cognito user pool. Right now, calling Amplify storage API functions work, but only in the `public` scope. I had thought what I wanted to do was only allow such functionality within the `private` scope; but I'm beginning to think based on the docs pages regarding user access that what I would be fine using the `public` scope, as it doesn't allow access to internal files by guests, who would not be signed in. This hunch is furthered by information regarding `protected` and `private` scopes being user-specific. Should I delve deeper into the permissions associated with these bucket objects, and configure some sort of user group system and then configure ACLs based on the groups, or would using files within the public scope be fine for my use case? I just don't want users who aren't signed in through Cognito to be able to access files. Thank you for your time, and I hope this question finds you well.
0
answers
0
votes
86
views
cal
asked 6 months ago

I'd like to request to S3 as a cognito certification qualification.

I'd like to request to S3 as a cognito certification qualification. S3 is using sdk Cognito is using amplify. Use an angular typescript. I would like to replace the secret key with the cognito authentication information when creating S3. I want to access s3 with the user I received from Auth.signIn, but the credentials are missing. I need your help. ``` public signIn(user: IUser): Promise<any> { return Auth.signIn(user.email, user.password).then((user) => { AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', }); const userSession = Auth.userSession(user); const idToken = userSession['__zone_symbol__value']['idToken']['jwtToken']; AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', RoleArn: 'arn:aws:iam::111111111111:role/Cognito_role', Logins: { CognitoIdentityPool: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', idToken: idToken, }, })); const s3 = new AWS.S3({ apiVersion: '2012-10-17', region: 'ap-northeast-2', params: { Bucket: 'Bucketname', }, }); s3.config.credentials.sessionToken = user.signInUserSession['accessToken']['jwtToken']; s3.listObjects(function (err, data) { if (err) { return alert( 'There was an error: ' + err.message ); } else { console.log('***********s3List***********', data); } }); } ``` bucket policy ``` { "Version": "2012-10-17", "Id": "Policy", "Statement": [ { "Sid": "AllowIPmix", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::s3name/*", } ] } ``` cognito Role Policies - AmazonS3FullAccess ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", ], "Resource": "*" } ] } ```
0
answers
0
votes
104
views
asked 7 months ago

Should I use Cognito Identity Pool OIDC JWT Connect Tokens in the AWS API Gateway?

I noticed this question from 4 years ago: https://repost.aws/questions/QUjjIB-M4VT4WfOnqwik0l0w/verify-open-id-connect-token-generated-by-cognito-identity-pool So I was curious and I looked at the JWT token being returned from the Cognito Identity Pool. Its `aud` field was my identity pool id and its `iss` field was "https://cognito-identity.amazonaws.com", and it turns out that you can see the oidc config at "https://cognito-identity.amazonaws.com/.well-known/openid-configuration" and grab the public keys at "https://cognito-identity.amazonaws.com/.well-known/jwks_uri". Since I have access to the keys, that means I can freely validate OIDC tokens produced by the Cognito Identity Pool. Moreso, I should be also able to pass them into an API Gateway with a JWT authorizer. This would allow me to effectively gate my API Gateway behind a Cognito Identity Pool without any extra lambda authorizers or needing IAM Authentication. Use Case: I want to create a serverless lambda app that's blocked behind some SAML authentication using Okta. Okta does not allow you to use their JWT authorizer without purchasing extra add-ons for some reason. I could use IAM Authentication onto the gateway instead but I'm afraid of losing formation such as the user's id, group, name, email, etc. Using the JWT directly preserves this information and passes it to the lambda. Is this a valid approach? Is there something I'm missing? Or is there a better way? Does the IAM method preserve user attributes...?
0
answers
1
votes
105
views
asked 7 months ago