AWS Authentication in JavaScript

Question

I am developing a single page application with a REST backend that uses AWS Cognito for user management and authentication.

I have structured it such that when the user enters the page without a token, the following series of steps occur:

Redirect to Cognito's default login page
The user logs in and is redirected to host/authenticate.html
An AJAX call is sent to Cognito's token endpoint, which returns the user's tokens. These are stored in sessionStorage
The user is redirected to the web application and is now authenticated

I want to have two user roles in my application: Users and Admins. Users should not be allowed to call any AWS services, where as Admins should be allowed to create/invite and promote other users to admins on behalf of his company.

Currently I have set up an Identity Pool for the User Pool and web application, that enables the admin permissions. I authenticate with the Identity pool using the following code:

AWS.config.region = "eu-central-1";
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'eu-central-1:<my-indentitypool-id>',
    Logins: {
        'cognito-idp.eu-central-1.amazonaws.com/<my-userpool-id>':
            sessionStorage.getItem('id_token')
    }
});

AWS.config.credentials.get(function(err){
    if (err) {
        console.error(err);
    }
    console.log("Authenticated");
    cisp = new AWS.CognitoIdentityServiceProvider();

});

And when the admin wants to create a user:

cisp.adminCreateUser(params, function(err, data) {
    if (err) 
        console.log(err, err.stack);
    else
        console.log(data);
});

However, from my understanding of it this would allow all users of the web application to have Admin privileges, as the IAM role is associated with the Identity Pool and not the users per se.

Are there any simple way of achieving this?

Please feel free to ask questions in case anything is unclear and thanks in advance for your help.

Custom attributes and RBAC. You can create a rule that assigns a specific IAM role for users with a custom:admin attribute value of true (https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html). — jarmod, Jun 28 '18 at 15:35
Thank you for your reply. I have now added `custom:admin` as you suggested, but I'm left with two questions: 1. How do I assign values to the custom attribute from the web-interface? 2. Where do I add the condition? Is it in the IAM policy or the IAM role? — Tobias Morell, Jun 29 '18 at 08:03
Related: https://stackoverflow.com/questions/40845937/aws-user-pool-how-to-edit-user-attributes/40849028 and https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_RoleMapping.html — jarmod, Jun 29 '18 at 15:33
I've tried to read through the resources you posted, but sadly without any luck. I've managed to set up an authentication system that gives my users the _User_ role when they log into my site, but I still don't understand how to upgrade users that have `custom:role=admin` to have admin privileges. So far I've tried to add a trust policy to the user roles with the condition stated just above and use STS to assume admin roles. Care to explain a bit more? — Tobias Morell, Jul 04 '18 at 12:58

score 0 · Accepted Answer · answered Sep 10 '18 at 13:03

I managed to find the solution in the end. In case anyone experiences the same issues as me you can go to the dashboard for your Cognito Identity Pool and edit it.

There is a section called Authentication providers, where you can specify conditions for claims and give roles based on that. On the same page you can also edit which role is given to users who are not authenticated and default roles to users who are authenticated, but do not satisfy any of the conditions you specify.

In my case I gave all authenticated users the role of User and created the condition shown in the picture below, which grants all users that have a value of "admin" in "custom:role" the role of Admin.

It may be also necessary to grant authenticated users the permission to assume a different role, as described [in this document](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html) under the section "Granting Pass Role Permission" — Tobias Morell, Sep 10 '18 at 13:09

AWS Authentication in JavaScript

1 Answers1