Fine-grained Access Control with Amazon Cognito Identity Pools
HTML-код
- Опубликовано: 3 авг 2024
- An overview of how to implement fine-grained access control with Amazon Cognito Identity Pools and a demonstration of using attributes from identity providers for access control. Learn more about Amazon Cognito Identity Pools at - amzn.to/3s9gckK.
Subscribe:
More AWS videos - bit.ly/2O3zS75
More AWS events videos - bit.ly/316g9t4
#AWS Наука
Crystal clear , well articulated and To the point! Wish this guy did more such educational videos for confusing AWS services.
Agreed. 100%
Really thank you for this video. Is far better to understaning Cognito like this rather than read documentation. Well done!
Mahmoud, hands down the best explanation and demo on fine grained RBAC for S3 using Cognito. I was using a rather dumb way of assigning a separate bucket to a user, for my use case. Access based on tags makes this ridiculously easy to use. Thanks so much for this content! You are frigging awesome!
This is such a practical example of the more or less theoretical explanations in the cognito docs! I'm happy to have found this, because this connects perfectly with the docs! Thanks for creating!
Top-notch explanation. Wish I could upvote it more than once! Thank you very much for putting this video together.
Such a good explanation, solved in minutes what I was trying to solve for hours. Thank you.
That's AWSome, Aayush! 😀
Excellent tutorial! I have struggled to understand Identity Pools and this video definitely helps.
This is very awesome. Welldone, Mahmoud and AWS!
I like how the length of this video is exactly 20:20!
Thanks for sharing with us!
This is treasure. Thank you !
We're so glad you like it! 😀
This was useful, awesome video! Thank you :)
Thank you very very much for this superb tutorial
We're glad you liked it! 😁 🙌
Awesome!
Great Video! Question: Is it possible to define PrincipalTag mapping in a Cloudformation or SAM template?
Thank you for the wonderful tutorial. Got it working most, however, when i do custom mapping with principle key that has multi-value attributes e.g. ["value1", "value2"], it throws error saying "Invalid identity pool configuration. Check assigned IAM roles for this pool." even though works with single value attribute mapping conditional permission as expected. Here is condition:
"Condition": {
"ForAnyValue:StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/groups": "${aws:PrincipalTag/groups}"
}
}
Here he is getting department, & clearance in token . As far as I know, it is not in-built attributes and if it custom, then it should be custom:department & custom:clearance in JWT token.
Thank you for this tutorial. Really practical for my use cases. May I ask, in your Id Token, you hard department and clearance as the key names. I assume that's from the User pool custom attributes? I tried doing this my Id token was able to include this. However, the keys included "custom:" in the name, like "custom:department":"Sales". How did you manage to just get "department":"legal"? Was this done via the pre-token lambda or something else??? Thanks in advance.
I cannot get the IdentityID. Any special setup on Headers tab at Postman?
How do you config the postman to get the token?
What url are you using in POST request for getId
I'd like to know how to add these mappings of principle tags to my cloudformation/SAM template? I declare the schema for the user pool, a user pool client, and the use these in as the provider for the identity pool. But I can't see a way of declaring these tags, so that I can use them in my identity role. Any suggestions?
Any update on this? Is it possible to define those tags using cloudformation?
@@sloopyfari Nope - can't see that there's any way to do this as yet. There's an AWS::Cognito::UserPoolIdentityProvider thing, which has some kind of attribute mapping, but I don't think it has anything to do with these tags, and seems to be for federated providers like facebook or google.
whats replaced at variable {{cognito-identity-regional-endpoint}} in your postman request?
Rules or roles?, I'm a little confused
Are there any security concerns with this of users modifying the request so that their department/confidentiality level is different?
15:10 Why does Cognito force you to pass the *id_token* (rather than the access_token)?
For whatever reason (if anybody knows please share) the access_token doesn't contain an *aud* claim, so can't be used to authenticate.
I'm using AWS academy account (formerly AWS educate) and currently i'm not permitted to create any IAM role (i'm prompt an error message sayng i'm not authorized). What the alternative solution if i want to set up fine-grained access
control permissions involving uploading files to an S3 bucket, invoking Lambda functions to execute my app's business logic and accessing the database for data storage and retrieval without the use of IAM roles?
where can i find cognito-identity-regional-endpoint ?
This doc shows all of the endpoints for each region (docs.aws.amazon.com/general/latest/gr/cognito_identity.html). It's still not working for me though. Does anyone know if I need to add a path to the end (i.e. endpoint/getid or something)?
@@alecsaunders8799/ Any luck on this ?
It’s a bit confusing, but the regional endpoints can be found here - docs.aws.amazon.com/general/latest/gr/cognito_identity.html, however you still need to properly configure your request to get a 200 response, which includes setting the custom headers for AWS shown in this example: docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html#API_GetId_Examples (X-AMZ-TARGET: com.amazonaws.cognito.identity.model.AWSCognitoIdentityService.GetId)
@@badam1111 This step took me a half-day!!!
@@badam1111 Can you share what all needs to be added in the Headers section in Postman for this to work?
you are a god
post request give unkown operation exception
what is the exact URLs for Cognito Identity regional endpoint, used to fetch credentials??
Hi, Vaibhav. 👋 The technical nature of your query is slightly outside our support scope on this platform. Check out our available resources to get some assistance with this: go.aws/get-help. 🤓 ^RW
Thank you but I have difficulty differentiating your accent wrt "role" and "rule". They sound the same....
Wow! the presenter has done a fantastic job explaining complex access control, and instead of applying your mind to understand, you criticize his "accent".
Rule means upon a condition assign/assume a Role. Role refers to predefined/create an IAM Role.
Please, can you add subtitles? The autogenerated ones don't help much and is hard to get your accent