Login/Register
Amazon Cognito Multi-Tenant Best Approach
Asked Answered
Solved amazon-web-servicesmulti-tenantamazon-cognito
A

3

12

I'm working on a multi-tenant application on AWS. I am struggling to implement multi-tenant on cognito. My first approach was to use one Cognito User Pool and an Identity Pool for the whole application.

For the moment we have two kinds of user per tenant (administrators and regular users) so I want to assign them different IAM Roles.

The idea was to create a Cognito Group for each user role and to associate them with respective IAM Roles. It works ok. When using groups for roles assignment, I configured the identity pool authenticated role selection to 'Choose role from token'.

However, with 20 tenants, 40 groups will be needed, and the limits for Cognito Groups are 25 for each User Pool.

Using a Cognito User Pool per tenant has the same inconvenient since limits for Cognito User Pool is 50 (and we expect more than 25 tenants).

These are soft limits, so I know that it is possible to ask for increase it. In fact, I requested to increase Cognito Groups Limit but the answer is taking too long.

As an alternative to Cognito Group I could configure the identity pool authenticated role selection to 'Choose role with rules'.

In this way I added a Cognito User Pool custom attribute (custom:role) and configured Identity Pool Cognito Authenticate Provider with rules like the following:

if custom:role equals 'tenant1_admin' then assign TENANT_1_ADMIN_IAM_ROLE

if custom:role equals 'tenant1_regular' then assign TENANT_1_REGULAR_IAM_ROLE

...

if custom:role equals 'tenant20_admin' then assign TENANT_20_ADMIN_IAM_ROLE

if custom:role equals 'tenant20_regular' then assign TENANT_20_REGULAR_IAM_ROLE

Is this a correct way to implement multi-tenant on Cognito? As far as I know, there are no limits to Identity Pool Authenticate Providers rules number.

Angulation answered 5/12, 2017 at 10:39 Comment(0)
C
6

As you mentioned before, you can contact AWS support to ask for increasing your groups limit. Clearly state your use case will make the limit increase easier. Are you using saml or cognito login for your userpool?

Chantry answered 15/12, 2017 at 0:1 Comment(3)
Thanks for your response. I asked for the limit increase in Cognito Groups, but they prefer to increase limits on the UserPools number for infrastructure reasons. However, I'm still wondering about going with one Userpool per tenant or one UserPool for the app: The second option allow user segmentation by using JWT claims (with a custom claim custom:role) and Identity Pool Cognito Authenticate Provider rules.Angulation
Both solutions could work and it based on how many users you are expecting and what are the differences among those tenants .In general, i will prefer to use multiple userpools. Using separate user pools will make it easier to manage your users and to customize the requirements based on different tenants. Also using separate user pools could help with controlling the traffic if you have a lot of users in total.Chantry
Ok, Summer Guo. I'll go with UserPool per Tenant. Thanks a lot for your comments.Angulation
B
10

I know the question has already been answered and is a bit old, but thought this might be useful for other people who come across this question. AWS have actually produced a White Paper and Quick Start guide for creating Multi-Tenant SaaS applications on AWS available https://aws-quickstart.s3.amazonaws.com/saas-identity-cognito/doc/saas-identity-and-isolation-with-cognito-on-the-aws-cloud.pdf

It's got a basic Web front-end (AngularJS on S3), Cognito (with one pool per tenant), logic to handle user-tenant lookup and ECS config for hosting services. Pretty detailed and should help answer a bunch of questions for people starting out or wondering about these types of questions.

Blackamoor answered 15/12, 2018 at 0:45 Comment(1)
update: this is no longer available :)Feodor
C
6

As you mentioned before, you can contact AWS support to ask for increasing your groups limit. Clearly state your use case will make the limit increase easier. Are you using saml or cognito login for your userpool?

Chantry answered 15/12, 2017 at 0:1 Comment(3)
Thanks for your response. I asked for the limit increase in Cognito Groups, but they prefer to increase limits on the UserPools number for infrastructure reasons. However, I'm still wondering about going with one Userpool per tenant or one UserPool for the app: The second option allow user segmentation by using JWT claims (with a custom claim custom:role) and Identity Pool Cognito Authenticate Provider rules.Angulation
Both solutions could work and it based on how many users you are expecting and what are the differences among those tenants .In general, i will prefer to use multiple userpools. Using separate user pools will make it easier to manage your users and to customize the requirements based on different tenants. Also using separate user pools could help with controlling the traffic if you have a lot of users in total.Chantry
Ok, Summer Guo. I'll go with UserPool per Tenant. Thanks a lot for your comments.Angulation
F
2

2022 update: the saas quickstart is no longer available. There's a workshop now, and the cognito dev guide talks about multi-tenancy.

  1. The default limit on user pools is 1000 now (adjustable to 10000).
  2. The max number of groups in a pool is 1000 (non adjustable!),
  3. a user can belong to max 100 groups.

The rest you can find in the quotas section.

Feodor answered 27/9, 2022 at 13:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.