Could you help me understand the necessity for the auth/unauth roles? I鈥檇 like to understand more of what鈥檚 going on with the CloudFormation that Amplify is generating and how it鈥檚 used, especially before putting it into prod.
* Which Category is your question related to? *
Roles in the CFN templates
* What AWS Services are you utilizing? *
This is in the base template
* Provide additional details e.g. code snippets *
"AuthRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Ref": "AuthRoleName"
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
}
},
"UnauthRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Ref": "UnauthRoleName"
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
}
}
ryan-mars
>All comments
Hi @ryanwmarsh
One option to give access to your app end users to AWS resources is by giving them temporary AWS credentials. (Those temporary credentials are provided by Amazon Cognito Federated Identities (IdentityPool))
Your App IdentityPool can give credentials to authenticated and unauthenticated users (guest user that didn't signup in your app). Each group of users (auth and unauth) has an IAM Role which basically is the permission that each group has. (Maybe you dont want the same privileges for unauth users)
When you use aws-amplify/cli the permissions are configured for you automatically for each resource by attaching IAM policies (permissions configuration) to each role.
elorzafe
on 3 Oct 2018
Related issues
ddemoll
路
3Comments
cgarvis
路
3Comments
cosmosof
路
3Comments
oste
路
3Comments
TheRealRed7
路
3Comments
Most helpful comment
Hi @ryanwmarsh
One option to give access to your app end users to AWS resources is by giving them temporary AWS credentials. (Those temporary credentials are provided by Amazon Cognito Federated Identities (IdentityPool))
Your App IdentityPool can give credentials to authenticated and unauthenticated users (guest user that didn't signup in your app). Each group of users (auth and unauth) has an IAM Role which basically is the permission that each group has. (Maybe you dont want the same privileges for unauth users)
When you use aws-amplify/cli the permissions are configured for you automatically for each resource by attaching IAM policies (permissions configuration) to each role.