I created a Serverless Application using AWS Services (S3, Lambda, Cognito, DynamoDB) and the serverless framework with ReactJS by following this tutorial https://serverless-stack.com/. The Tutorial uses AWS Cognito User Pool and Identity Pool for User Management and Authentication Purposes. The application in the tutorial is a "Note-Taking" Application which doesn't have Role Based Access Control within the Application.
However the Application that I am creating requires RBAC and after reading about it, I have understood that RBAC can be implemented either using the "User Groups" or the "Federated Identities". However, I could not still figure out how to properly use either of those in my application.
This is what I have done in the Application till now
Policy
{
    "Version": "2012-10-17",
    "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*",
        "cognito-identity:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::YOUR_S3_UPLOADS_BUCKET_NAME/${cognito-identity.amazonaws.com:sub}*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "execute-api:Invoke"
      ],
      "Resource": [
        "arn:aws:execute-api:YOUR_API_GATEWAY_REGION:*:YOUR_API_GATEWAY_ID/*"
      ]
    }
  ]
}
This allows everyone to access all the APIs. How do I assign role to each user and then restrict the access to certain APIs based on their Role?
There's a few ways to do it; more to the point, you don't need an identity pool at all.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With