Mahmoud, hands down the best explanation and demo on fine grained RBAC for S3 using Cognito. I was using a rather dumb way of assigning a separate bucket to a user, for my use case. Access based on tags makes this ridiculously easy to use. Thanks so much for this content! You are frigging awesome!
This is such a practical example of the more or less theoretical explanations in the cognito docs! I'm happy to have found this, because this connects perfectly with the docs! Thanks for creating!
Here he is getting department, & clearance in token . As far as I know, it is not in-built attributes and if it custom, then it should be custom:department & custom:clearance in JWT token.
I'd like to know how to add these mappings of principle tags to my cloudformation/SAM template? I declare the schema for the user pool, a user pool client, and the use these in as the provider for the identity pool. But I can't see a way of declaring these tags, so that I can use them in my identity role. Any suggestions?
@@sloopyfari Nope - can't see that there's any way to do this as yet. There's an AWS::Cognito::UserPoolIdentityProvider thing, which has some kind of attribute mapping, but I don't think it has anything to do with these tags, and seems to be for federated providers like facebook or google.
Thank you for the wonderful tutorial. Got it working most, however, when i do custom mapping with principle key that has multi-value attributes e.g. ["value1", "value2"], it throws error saying "Invalid identity pool configuration. Check assigned IAM roles for this pool." even though works with single value attribute mapping conditional permission as expected. Here is condition: "Condition": { "ForAnyValue:StringEqualsIgnoreCase": { "s3:ExistingObjectTag/groups": "${aws:PrincipalTag/groups}" } }
This doc shows all of the endpoints for each region (docs.aws.amazon.com/general/latest/gr/cognito_identity.html). It's still not working for me though. Does anyone know if I need to add a path to the end (i.e. endpoint/getid or something)?
It’s a bit confusing, but the regional endpoints can be found here - docs.aws.amazon.com/general/latest/gr/cognito_identity.html, however you still need to properly configure your request to get a 200 response, which includes setting the custom headers for AWS shown in this example: docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html#API_GetId_Examples (X-AMZ-TARGET: com.amazonaws.cognito.identity.model.AWSCognitoIdentityService.GetId)
Thank you for this tutorial. Really practical for my use cases. May I ask, in your Id Token, you hard department and clearance as the key names. I assume that's from the User pool custom attributes? I tried doing this my Id token was able to include this. However, the keys included "custom:" in the name, like "custom:department":"Sales". How did you manage to just get "department":"legal"? Was this done via the pre-token lambda or something else??? Thanks in advance.
Wow! the presenter has done a fantastic job explaining complex access control, and instead of applying your mind to understand, you criticize his "accent".
15:10 Why does Cognito force you to pass the *id_token* (rather than the access_token)? For whatever reason (if anybody knows please share) the access_token doesn't contain an *aud* claim, so can't be used to authenticate.
I'm using AWS academy account (formerly AWS educate) and currently i'm not permitted to create any IAM role (i'm prompt an error message sayng i'm not authorized). What the alternative solution if i want to set up fine-grained access control permissions involving uploading files to an S3 bucket, invoking Lambda functions to execute my app's business logic and accessing the database for data storage and retrieval without the use of IAM roles?
Hi, Vaibhav. 👋 The technical nature of your query is slightly outside our support scope on this platform. Check out our available resources to get some assistance with this: go.aws/get-help. 🤓 ^RW
![AWS re:Invent 2018: [REPEAT 1] Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)](http://i.ytimg.com/vi/YQsK4MtsELU/mqdefault.jpg)
Mahmoud, hands down the best explanation and demo on fine grained RBAC for S3 using Cognito. I was using a rather dumb way of assigning a separate bucket to a user, for my use case. Access based on tags makes this ridiculously easy to use. Thanks so much for this content! You are frigging awesome!
Crystal clear , well articulated and To the point! Wish this guy did more such educational videos for confusing AWS services.
Agreed. 100%
This is such a practical example of the more or less theoretical explanations in the cognito docs! I'm happy to have found this, because this connects perfectly with the docs! Thanks for creating!
Really thank you for this video. Is far better to understaning Cognito like this rather than read documentation. Well done!
Top-notch explanation. Wish I could upvote it more than once! Thank you very much for putting this video together.
Such a good explanation, solved in minutes what I was trying to solve for hours. Thank you.
That's AWSome, Aayush! 😀
Excellent tutorial! I have struggled to understand Identity Pools and this video definitely helps.
This is treasure. Thank you !
We're so glad you like it! 😀
I like how the length of this video is exactly 20:20!
This is very awesome. Welldone, Mahmoud and AWS!
Thank you very very much for this superb tutorial
We're glad you liked it! 😁 🙌
Here he is getting department, & clearance in token . As far as I know, it is not in-built attributes and if it custom, then it should be custom:department & custom:clearance in JWT token.
I cannot get the IdentityID. Any special setup on Headers tab at Postman?
I'd like to know how to add these mappings of principle tags to my cloudformation/SAM template? I declare the schema for the user pool, a user pool client, and the use these in as the provider for the identity pool. But I can't see a way of declaring these tags, so that I can use them in my identity role. Any suggestions?
Any update on this? Is it possible to define those tags using cloudformation?
@@sloopyfari Nope - can't see that there's any way to do this as yet. There's an AWS::Cognito::UserPoolIdentityProvider thing, which has some kind of attribute mapping, but I don't think it has anything to do with these tags, and seems to be for federated providers like facebook or google.
Thank you for the wonderful tutorial. Got it working most, however, when i do custom mapping with principle key that has multi-value attributes e.g. ["value1", "value2"], it throws error saying "Invalid identity pool configuration. Check assigned IAM roles for this pool." even though works with single value attribute mapping conditional permission as expected. Here is condition:
"Condition": {
"ForAnyValue:StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/groups": "${aws:PrincipalTag/groups}"
}
}
Thanks for sharing with us!
What url are you using in POST request for getId
Rules or roles?, I'm a little confused
How do you config the postman to get the token?
Awesome!
This was useful, awesome video! Thank you :)
where can i find cognito-identity-regional-endpoint ?
This doc shows all of the endpoints for each region (docs.aws.amazon.com/general/latest/gr/cognito_identity.html). It's still not working for me though. Does anyone know if I need to add a path to the end (i.e. endpoint/getid or something)?
@@alecsaunders8799/ Any luck on this ?
It’s a bit confusing, but the regional endpoints can be found here - docs.aws.amazon.com/general/latest/gr/cognito_identity.html, however you still need to properly configure your request to get a 200 response, which includes setting the custom headers for AWS shown in this example: docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html#API_GetId_Examples (X-AMZ-TARGET: com.amazonaws.cognito.identity.model.AWSCognitoIdentityService.GetId)
@@badam1111 This step took me a half-day!!!
@@badam1111 Can you share what all needs to be added in the Headers section in Postman for this to work?
Great Video! Question: Is it possible to define PrincipalTag mapping in a Cloudformation or SAM template?
Are there any security concerns with this of users modifying the request so that their department/confidentiality level is different?
whats replaced at variable {{cognito-identity-regional-endpoint}} in your postman request?
Thank you for this tutorial. Really practical for my use cases. May I ask, in your Id Token, you hard department and clearance as the key names. I assume that's from the User pool custom attributes? I tried doing this my Id token was able to include this. However, the keys included "custom:" in the name, like "custom:department":"Sales". How did you manage to just get "department":"legal"? Was this done via the pre-token lambda or something else??? Thanks in advance.
Thank you but I have difficulty differentiating your accent wrt "role" and "rule". They sound the same....
Wow! the presenter has done a fantastic job explaining complex access control, and instead of applying your mind to understand, you criticize his "accent".
Rule means upon a condition assign/assume a Role. Role refers to predefined/create an IAM Role.
15:10 Why does Cognito force you to pass the *id_token* (rather than the access_token)?
For whatever reason (if anybody knows please share) the access_token doesn't contain an *aud* claim, so can't be used to authenticate.
I'm using AWS academy account (formerly AWS educate) and currently i'm not permitted to create any IAM role (i'm prompt an error message sayng i'm not authorized). What the alternative solution if i want to set up fine-grained access
control permissions involving uploading files to an S3 bucket, invoking Lambda functions to execute my app's business logic and accessing the database for data storage and retrieval without the use of IAM roles?
what is the exact URLs for Cognito Identity regional endpoint, used to fetch credentials??
Hi, Vaibhav. 👋 The technical nature of your query is slightly outside our support scope on this platform. Check out our available resources to get some assistance with this: go.aws/get-help. 🤓 ^RW
post request give unkown operation exception
you are a god
Please, can you add subtitles? The autogenerated ones don't help much and is hard to get your accent