Scopes and tier-based authentication.
The naïve way to go about this would be to issue IAM policies in a Cognito User Pool and then fetch credentials using either STS or Lambda with the policies applied. You can use just one policy and then modify it on-the-fly to fit the role.
For example, you can have the following grants:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "82f599a4-a505-4fa8-adda-b1aae6f637db",
"Action": "ListPosts",
"Effect": "Allow",
"Resource": "posts/*"
}
]
}
Call this ListPostsPolicy. Then, create UpdatePosts and whatever policies you need.
When done, create a composite (or a "role") based on these policies. Like user, administrator, etc. and call assumeRole() with STS.
The better way is to use Federated Identities; you will get the permissions link (Federated Users) and the actual auth layer (user pool).
Shreyansh Pandey
node, coffee and everything in between