Login/Register
cognito user pool custom attribute in IAM Policy Conditions with Dynamodb Fine grained access
Asked Answered
amazon-web-servicesamazon-dynamodbamazon-iamamazon-cognito
G

3

7

I have one Cognito User Pool with a custom attribute organisation_id. One Organisation may have multiple users. There can be multiple organisations. Another Dynamodb table is used to maintain Categories which has _id and organisation_id as partition key. Categories can be owned by Organisation so that users belong to that particular Organisation perform some operation in those categories only.

Now, how can I create the IAM policy so that it takes the organisation_id instead of sub/user_id as it is explained here
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAccessToOnlyItemsMatchingUserID",
        "Effect": "Allow",
        "Action": [
            "dynamodb:GetItem",
            "dynamodb:BatchGetItem",
            "dynamodb:Query",
            "dynamodb:PutItem",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteItem",
            "dynamodb:BatchWriteItem"
        ],
        "Resource": [
            "arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"
        ],
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito:organisation_id(?)}"

                ],
                "dynamodb:Attributes": [
                    "UserId",
                    "GameTitle",
                    "Wins",
                    "Losses",
                    "TopScore",
                    "TopScoreDateTime"
                ]
            },
            "StringEqualsIfExists": {
                "dynamodb:Select": "SPECIFIC_ATTRIBUTES"
            }
        }
    }
]}

So my main requirement is to get custom user pool attribute in IAM policy through cognito. How is that possible?

Geothermal answered 20/4, 2017 at 9:21 Comment(2)
how did you managed to solve this issue ??Eduction
Couldn't... And I left API gateway for my own custom solutionGeothermal
V
2

This is not possible. It would require IAM roles to be able to identify custom attributes from any cognito user pool. It's an interesting feature though, will discuss it with the team.

However, as an alternative you can look at Cognito identities and role base access control

http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

Vidrine answered 16/6, 2017 at 22:33 Comment(4)
Any updates on that? Currently it doesn't seem to be possible at what @dan required. Going via cognito groups and group specific roles has a hard limit of 25. Going via custom attribute and rule based role assignment has a soft limit of 25. Both limits show that neither approach is feasible for something in the range 1000 or even 10000 organizations/groups.Fiddlehead
@SebastianAnnies +1 for adding this feature, however you can now have up to 10,000 groups per user pool. Still seems like a pretty big feature oversight, effectively making Cognito only good for 1:1 tenant vs user pool association.Anear
@Vasileios Lekakis +1 on the feature. Does that mean that we need to introduce identity pool in addition to user pool ?Untouchable
aws.amazon.com/about-aws/whats-new/2021/01/… not sure if this announcement includes users from Congito User Pool. Also, the console does contain mapping from attributes to principal tag. Does it mean it is actually supported?Elderberry
G
0

There is some support, but not exactly as you need, as far as I can tell.

My use case is very similar to yours, but I still cannot find a solution.

However, there is some level of support for use pool attributes as fine-grained authorisation. Read https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html

I've been able to use some of the standard Cognito Use Pool attributes (e.g. given_name, etc), but for the life of me I can't get custom: attributes to work. I've also posted a number of questions and comments on the AWS support forums, and gotten zero replies.

Maybe a fudge is to use one of the standard attributes. However, this is far from ideal.

Geotaxis answered 15/8, 2021 at 7:50 Comment(2)
Following on from this, I've actually found that you can use "custom:" attributes. However, there are some limitations as to what characters you can include in the attribute value. I don't know the extent of the limitation, since I can't find this documented anywhere, but I've found that everything breaks if you have the '#' character in the value for any user attribute that you want to use in IAM policies.Geotaxis
I have been able to use both standard and custom User pool attributes in the IAM policy Conditions statement. You have to use aws PrincipalTag/my_custom_tag in the IAM Policy and should as well add a AWS::Cognito::IdentityPoolPrincipalTag mapping (e.g. my_custom_tag tag key to custom:my_custom_attr claim)Lampedusa
L
0

Yes, you can do that:

  1. Create a custom User Pool attribute: organisation_id
  2. Create a AWS::Cognito::IdentityPoolPrincipalTag with a custom mapping:

organisation_id (tag key) -> custom:organisation_id (claim)

  1. Use ${aws:PrincipalTag/organisation_id} in the IAM Policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${aws:PrincipalTag/organisation_id}"
                    ]
                }
            },
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:[REGION]:[ACCOUNT]:table/[TABLE]",
            "Effect": "Allow"
        }
    ]
}

You can see details in my answer to a similar question.

Lampedusa answered 3/8, 2023 at 9:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.