AWS Cognito role: Distinguish between Federated Identity Pool roles and User Pool Group roles

1
votes

I have an application wherein I want 2 types of users to belong to the same User Pool. They all authenticate using the same AWS Cognito Federated Identity Pool. The first type of user, Manager, should be able to see all of the other users in their group and change their attributes. The second type, Employee, should only be able to see/change their own attributes, change their own password, forget their own password, etc. I imagine this specific case requires some policy "magic" to create 2 roles, each with different levels of permissions. I figure that each role would be assigned to a different group, with the Manager group getting more power/permissions. But I am confused by the redundancy of role assignments in both Federated Identity Pools and User Pool Groups.

  • AWS Cognito Federated Identity Pools have 3 role specifiers: "Unauthenticated role", "Authenticated role", and for Authentication Providers, "Authenticated role (selection)."
  • AWS Cognito User Pool Groups allow you to specify an IAM role.

What is the relationship between Identity Pools and Groups in terms of permissions?

1
amazon-web-servicesauthenticationpermissionsamazon-cognitoroles

1 Answers

2
votes

If you are using groups and attaching roles to them you can then choose to use the role that is provided in the token. By default the authenticated role (or unauthenticated role if you have it activated) is used whenever you log in. You can change this behavior by opening your federated identity pool and changing this setting under cognito user pool (which i assume is your identity provider). enter image description here

Select "choose role from token" to use the role that you have attached to the group that the user belongs to.