Role-Based-Access-Control with Cognito

[ZakBrinlee]

Questions from Toddy: How to get role info from Cognito? How to map users->roles?

Estimated time: 4 hours

Actual time:

[zach-daniels]

Time spent as of 1/30: 2 hours

I'm seeing two different ways to implement role-based-access-control with Cognito. The first method I will try to implement this following week is found in this link. https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html You can pass the role with the ID token that's assigned by the user pool, or you can use rule-based mapping. I'm not sure we want to use the rule-based mapping, as that seems intended for IAM specific roles. We merely want to dictate access to the API.

The second method I've seen pop up is to create and attach a custom Lambda authorizer. The following link is a general overview of Lambda Authorizers, while the second one details creating an IAM Policy for your APi.

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html

https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html

[zach-daniels]

Original estimate: 4 hours Time spent: 12 hours

I was unable to complete my task this sprint. There are very few examples and tutorials regarding restricting API access with roles. The documentation is confusing and vague.

I learned how to create user groups and assign roles to those groups. To do that, I learned how to create a custom role, as well as custom policies to assign to those roles. This alone did not seem to be enough to restrict API access. From what I understand, I have to use the Cognito Identity Pool and combine that with the User Pool to create temporary credentials to use AWS resources. Unfortunately, the AWS_IAM API Gateway Authorizor requires a specific signature to invoke the API endpoint, and I was unable to figure that out.

Moving on, I need to implement a small login using the Cognito User Pool and Identity Pool to get the keys/tokens necessary to attach a valid signature to the API call. Then I might be able to actually tell if this implementation will work.

Week 2 version of Wiki: https://github.com/ActoKids/api/wiki/Role-Based-Access-Control/70ab0fed409fe01bc9f14ba133d34be0e67a92fa

[toddysm]

Where are we with this? Is there a second task for the "small" implementation?

[zach-daniels]

Zak and I are working on wrapping this up today. I'll create an issue for the login page to get the credentials from the identity pool

[zach-daniels]

Estimated time for sprint 3: 3 hours Total time: 4 hours

Zak created a login page and I was able to get the users' Identity Pool IDs. With those IDs, I was able to get temporary credentials in the form of Secret Keys, Access Keys, and a Session ID to successfully invoke API endpoints with AWS_IAM authorization based on their User Group roles' permissions.

Wiki updated with examples:

https://github.com/ActoKids/api/wiki/Role-Based-Access-Control

[ZakBrinlee]

2/20/19 I have worked with Zach on this to create a WEB UI login page to confirm user sign in and Cognito function. See this issue related.

I tested Zach's code using Postman. Everything works as expected. His documentation is clear to me and makes sense.