Comment by Shreyansh Pandey on "AWS Setup for React"

Shreyansh Pandey

node, coffee and everything in between

Dec 14, 2018

Scopes and tier-based authentication.

The naïve way to go about this would be to issue IAM policies in a Cognito User Pool and then fetch credentials using either STS or Lambda with the policies applied. You can use just one policy and then modify it on-the-fly to fit the role.

For example, you can have the following grants:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "82f599a4-a505-4fa8-adda-b1aae6f637db",
      "Action": "ListPosts",
      "Effect": "Allow",
      "Resource": "posts/*"
    }
  ]
}

Call this ListPostsPolicy. Then, create UpdatePosts and whatever policies you need.

When done, create a composite (or a "role") based on these policies. Like user, administrator, etc. and call assumeRole() with STS.

The better way is to use Federated Identities; you will get the permissions link (Federated Users) and the actual auth layer (user pool).

Nino

Dec 17, 2018

Thank you for your detailed explanaition. It really helped me a lot!

I tried the better way like you suggested. I have setup an AppSync environment with IAM authentication settings. Also created a cognito user pool and an identety pool with 2 IAM roles, unauthenticated & authenticated and added the policies to the roles for accesing AppSync.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appsync:GraphQL" ], "Resource": [ "arn:aws:appsync:eu-central-1:135532242699:apis/cxa7cphbi5g5znie72o7rk7gde/types/Query/fields/getTask" ] } ] }

Brilliant! If you need any further help, message me! :)

Search Hashnode