Developer Authenticated Identities and Roles

0
votes

I'm trying to implement "Developer Authenticated Identities" for AWS as explained here: https://aws.amazon.com/blogs/mobile/amazon-cognito-announcing-developer-authenticated-identities/

I understand properly the basic flow.

However, I'd like to be able to get a different role depending on my identities (eg. rule-based roles) so that for instance "Admin" users can have more rights on AWS resources. However, while the AWS console in "Edit identity pool" lets me define rule-based roles for a Cognito User Pool Identity Provider, it won't let me do that for a Custom authentication provider.

In other words, is what is described on this page (http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html) possible with developer authenticated identities?

How can I achieve that?

2
amazon-web-servicesamazon-cognitoaws-cognito

2 Answers

1
votes

At this time, rule based roles are not supported for developer authenticated identities. Unfortunately because there is not a secure way of binding the OIDC token returned from GetOpenIdTokenForDeveloperIdentity to a specific role, it can be exchanged for any role configured against the pool with STS defeating the purpose. We have heard this request before and will take it as a feature request to embed the assumable roles in the OIDC token so STS can confirm you are assuming a role you are allowed to. We currently only support GetCredentialsForIdentity if you use rule based mapping.

0
votes

When using developer identities, after authentication, you would assign the IAM role to the user using STS AssumeRole. You will need a method to map users to roles. Typically DynamoDB is used for this. Note: The credentials (AccessKey, role, etc.) that you are using to call STS needs enough power to issue the desired IAM role. AssumeRole then creates AccessKey SecretAccessKey pair to give to the user. Remember these are temporary credentials with an expiration that you control.

STS AssumeRole