Amplify-js: User pool groups policies not applied

@budmitr when you say the role is attached to user pool group does it mean that you edited the role arn in the Cognito Group?

@powerful23 yes exactly

In Update group popup (the one with fields Name, Description, Precedence and a role selector) I select a previously defined IAM Role
After confirming my action with Update group button click, I see updated Role ARN in group description page

@budmitr unfortunately we are currently not supporting this feature in the sdk. I will mark this as feature request.

To implement this feature, the sdk should be able to set the CustomRoleArn property in the credentials object: https://github.com/aws-amplify/amplify-js/blob/master/packages/core/src/Credentials.ts#L239

@budmitr Another way you may achieve this is to:

1. Assign an value to the Precedence in your user group
2. In your Cognito Federated Identity pool -> Edit Identity Pool -> Authentication Providers -> Authentication role selection -> Change Use default role to Choose role from token

This should allow you to switch to another role when login with admin accounts.

@powerful23 I used second way, but it didn’t work. I set admin group precedence to 0 and choose from token. I got access denied

@powerful23, when I used same setting with user group, I can see it works when different users call different API, they have different permissions. But regarding the S3 private folder access, it doesn’t work. Is there any update on this topic?

+1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

I also have an app which grants users access to their own private area of a shared bucket using this in my Identity Pool policy:
{ "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::MY_BUCKET_NAME/private/${cognito-identity.amazonaws.com:sub}/*" ] }

However, the user is also part of a 'group'. And that group of users need to access resources in another bucket. I added the user to a cognito user group that has the required policy permissions, but it doesn't work.
How to do this?

Is a reasonable solution to:

1. Add a custom attribute to your user pool.
2. And then in the identity pool use the 'choose role with rules' function.
   i.e. The user pool could have a customer attribute custom:clientname. All users that share the same clientname attribute could be assigned the same role and thus access the same resources.

@budmitr I believe that your IAM role / policy is probably configured incorrectly. It took a long time to figure this out cognito is confusing.

How to enable a group policy on your userpool

1. Go to Cognito -> Manage Identity Pools ( https://console.aws.amazon.com/cognito/federated ). Click on the Identity Pool that your amplify project created -- it should have your env name at the end.

2. Click Edit Identity Pool -> Authorization Providers -> Cognito. Under "Authentication role selection" change "Use Default Role" to "Choose Role from Token". Do this for each of the App Clients, I had two.

2.b Copy the Identity Pool Id which looks like "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"

1. Now, you're going to create the desired IAM role for your group. Go to IAM -> Create New Role -> Web Identity.

2. Choose Amazon Cognito and paste your Identity Pool Id from step 2.b. You might want to add a condition here but I don't believe that is necessary (although it adds extra security). Click Next

3. Create an IAM role with S3 permissions on the S3 bucket that Amplify creates (note: make sure you choose the S3 bucket for your current amplify env). You can use the S3FullAccess policy for a quick hack, but this is obviously not recommended in production (or really any environment). Name this role something like yourapp-yourenv-admin-group-role and remember this name for step 6.

4. Go to Cognito -> Manage Userpools and select your userpool. Click on Users and Groups -> Groups -> [Your group eg. Admin]. Click the edit icon and select the IAM role that you created in step 5.

5. Clear your cache on your web browser for your website and log in again. You should be able to see your S3 files!

I have the same problem, that the client is not able to switch IAM roles.

My background is that we want to grant permissions to AWS resources based on memberships in projects.
I created a cognito group per project with a matching IAM role that has the needed IAM policies for the AWS resources attached.
One user can then be a member of multiple groups and can assume the attached IAM roles.

Both Cognito groups and IAM roles are present in the session idToken:

"idToken": {
  "payload": {
    "cognito:groups": ["group1", "group2"],
    "cognito:roles": ["arn:aws:iam:::role/test1","arn:aws:iam:::role/test2"
  }
}

Now only the group + role with the lowest Precedence is used (group1 with role test1) and i can't assume another role, because CustomRoleArn is missing.

It looks like to me there is an older closed issue about this #2675.
In this issue there is an argument, that CustomRoleArn shouldn't be handled in the client, but by a backend and that the client shouldn't contain logic for that.

I think the client should have the ability to use CustomRoleArn based on the AWS API, because i'm using Cognito with AWS IAM for the purpose, that i don't want to do my own user, permission management service and think that is also the idea of the Cognito Group to IAM role binding.

It would be nice, if there was some Auth.assumeRole(arn) function to handle this.