AWS Lambda/Cognito Authentication - Assuming Auth Role

4
votes

I am attempting to create an iOS app in Swift that uses the following authentication service using AWS Lambda - https://github.com/danilop/LambdAuth

It uses the AWS Mobile SDK for iOS to communicate with DynamoDB and Lambda - http://docs.aws.amazon.com/mobile/sdkforios/developerguide/

Here is the sample code for the website that utilizes the token returned from the Lambda login function, I imagine the Swift code will be something similar - https://github.com/danilop/LambdAuth/blob/master/www/login.html#L69

Here is the cloud function that generates the token for the user - https://github.com/danilop/LambdAuth/blob/master/LambdAuthLogin/index.js#L102

I have created an identity pool in AWS Cognito (Federated Identities) and I have two roles, auth and unauth. My application appears to always being the unauth role (arn:aws:sts::123123123:assumed-role/_unauth_MOBILEHUB_123123123/CognitoIdentityCredentials). My users are being stored in a dynamodb table, with a salted password.

The root of the problem is that I don't know the correct Swift code to write after I receive a login token from the service to transition my user into the authenticated role (use the auth arn). I want it to be using the auth role for every service call to AWS (dynamodb, lambda, etc). I'm hoping that someone can point me in the right direction - thank you.

2
iosswiftamazon-web-servicesaws-lambdaamazon-cognito
any luck on this? I am having the same issue - Julio

2 Answers

0
votes

As per the design in Danilo's book, if you are using the aws-sdk javascript , you should define your objects like :

var creds = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: //hard coded value for your system//
})

AWS.config.update({
    region: 'us-east-1',
    credentials: creds
});

var lambda = new AWS.Lambda();

then once you receive your identityId and token , you should assign them to you creds as follow :

creds.params['IdentityId'] = output.identityId;
creds.params['Logins'] = {};
creds.params['Logins']['cognito-identity.amazonaws.com'] = output.token;
creds.expired = true;

where output is the response from your LambdAuthLogin Lambda function.

-1
votes

Authenticated roles will only be used when you use one of the supported public providers (Facebook, Google, Twitter, Login With Amazon), OIDC provider, SAML provider or Cognito User Pool users.

Amazon Cognito User Pools provides you the solution for user registration, authentication and management. Is there is reason that you prefer using Lambda Auth over that?