Possibility to specify role ARN for IAM credentials

[pjarts]

Feature request.

Currently, is it not possible to specify which role arn to use when creating CognitoIdentityCredentials. According to the documentation you can specify a RoleArn to use when creating CognitoIdentityCredentials.

I have multiple applications with a shared user pool. Each application has created a set of groups in the user pool with IAM roles attached. Each user can be a member of multiple groups, e.g. User1 is a member of groups app1-admins and app2-admins. When User1 logs into App1 he should assume the role attached to the app1-admins group, but the only way to achieve this currently, is to give app1-admins a lower precedence than app2-admins so that the corresponding role's arn gets assigned to the Id token's cognito:preferred_role attribute. However, this will cause problems when User1 logs into App2..

My suggestion is to add another option to the Auth configuration that works as a filter for the user's cognito:groups (or cognito:roles) list:

Amplify.configure({
  Auth: {
    // ... some configuration
    groups: [
      'app1-admins',
      'app1-users'
    ]
  }
})

I would prefer to list groups, but I am not sure whether the index of the elements in the cognito:roles and cognito:groups arrays will match. If they are guaranteed to be listed in the same order you could use the index of the group name to retrieve the corresponding role. To determine which role to use, you would filter the user's cognito:groups list for names listed in Auth._config.groups and then pick the role connected to the group with the lowest precedence.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[victorzw895]

I need this feature too, right now its pointless for my users to belong to multiple groups with multiple roles, when they can only access one and not dynamically either. I am trying to restrict access to API gateway endpoints based on the roles attached to the groups the user is in. There should be a way for all role policies to be merged or at least for the role to be assigned dynamically and not by pre-set precedence.

[rwsender]

I am also having this issue. Currently, my authenticated users all assume one role. Even though the user has a preferred role matching the group they are in my API calls are being called with this 'base' authenticated role that really doesn't have any permissions.

[ahmed-sharief5]

Even i need this feature to be added to aws amplify. Please add an option to add customRoleArn in order to map the dynamic roles to the users based on their cognito groups.

[ahmed-sharief5]

Will this feature be merged soon. Because i have dependency on this feature. So please merge this PR as soon as possible

[ahmed-sharief5]

Hello guys still this PR has not been merged. Could anyone please look into this and merge as soon as possible, as its been months

[mbruning24]

I have similar requirements. We use CustomRoleArn for enabling multi-tenancy on single apis. One thing I've been seeing across many threads is that amplify doesn't support this property because of the security implications of spoofing the CustomRoleArn on the CognitoIdentityCredentials call, but in our implementation we are utilizing the cognito:roles claim in the JWT which, unless I'm an idiot, can't be spoofed. So, assuming I'm not missing something, enabling this feature would be in line with AWS's shared security model. You provide the ability to assume a different role in the library and we make sure we're limiting scope via the token claims.

It would also be great if we could trigger a reconfiguration at some point in time after login events i.e. Auth.Credentials.configure({ customRoleArn: xyz }) or similar...

[elorzafe]

@pjarts

Meanwhile I am reviewing the PR as a workaround is it possible to have a Pre token generation lambda that could modify the cognito roles for that user.

The lambda should read some client metadata from the library to detect on which App is in use.

(Apologize for not looking in this issue until today)