Support multiple user pools or organizations in Cogntio/AWS Amplify?

Question

Let's say we are using AppSync and AWS Cognito using AWS Amplify CLI, and are using it to host things like a Blog, with BlogPosts, and Comments, etc.

Is it possible in amplify/AppSync/Cognito to have multiple organizations with Blogs, each with their own access controls (owner, Admin, etc.)? Such that the data is separate but the AppSync, GraphQl models etc are the same?

I.e. so that editors and admins of one Blog can only see or edit their own blog posts, and not that of other Blogs, etc.

Thanks!

Ionut Trestian Ionut Trestian · Accepted Answer · 2019-08-05T16:53:54

Yes, that is possible. Cognito has the concept of Groups that you can assign your users to. So you can have for example a group called Admins that you can assign only your admin users to. There are several ways in which you can have fine grained access in AppSync, either through schema directives such as below:

type Query {
   posts:[Post!]!
   @aws_auth(cognito_groups: ["Bloggers", "Readers"])
}

type Mutation {
   addPost(id:ID!, title:String!):Post!
   @aws_auth(cognito_groups: ["Bloggers"])
}

or by filtering on the Group in the resolver mapping templates (you get the group information in the context.identity object).

Support multiple user pools or organizations in Cogntio/AWS Amplify?

1 Answers