Fine-grained Access Control with Amazon Cognito Identity Pools

แชร์
ฝัง
  • เผยแพร่เมื่อ 22 พ.ย. 2024

ความคิดเห็น • 52

  • @vibinaravindakshan719
    @vibinaravindakshan719 2 ปีที่แล้ว +3

    Mahmoud, hands down the best explanation and demo on fine grained RBAC for S3 using Cognito. I was using a rather dumb way of assigning a separate bucket to a user, for my use case. Access based on tags makes this ridiculously easy to use. Thanks so much for this content! You are frigging awesome!

  • @prannoyroy5312
    @prannoyroy5312 2 ปีที่แล้ว +6

    Crystal clear , well articulated and To the point! Wish this guy did more such educational videos for confusing AWS services.

    • @IsanHawke
      @IsanHawke 10 หลายเดือนก่อน

      Agreed. 100%

  • @alvaromartin6301
    @alvaromartin6301 2 ปีที่แล้ว +1

    Really thank you for this video. Is far better to understaning Cognito like this rather than read documentation. Well done!

  • @saltukkezer5100
    @saltukkezer5100 2 ปีที่แล้ว +4

    This is such a practical example of the more or less theoretical explanations in the cognito docs! I'm happy to have found this, because this connects perfectly with the docs! Thanks for creating!

  • @aayushpurswani9630
    @aayushpurswani9630 ปีที่แล้ว

    Such a good explanation, solved in minutes what I was trying to solve for hours. Thank you.

  • @khoavo5758
    @khoavo5758 ปีที่แล้ว

    I like how the length of this video is exactly 20:20!

  • @jmrah
    @jmrah 3 ปีที่แล้ว +6

    Top-notch explanation. Wish I could upvote it more than once! Thank you very much for putting this video together.

  • @rodoherty1
    @rodoherty1 2 ปีที่แล้ว

    Excellent tutorial! I have struggled to understand Identity Pools and this video definitely helps.

  • @RachetKhanal
    @RachetKhanal ปีที่แล้ว

    Thank you very very much for this superb tutorial

  • @krknpl10
    @krknpl10 3 ปีที่แล้ว +1

    Thank you for the wonderful tutorial. Got it working most, however, when i do custom mapping with principle key that has multi-value attributes e.g. ["value1", "value2"], it throws error saying "Invalid identity pool configuration. Check assigned IAM roles for this pool." even though works with single value attribute mapping conditional permission as expected. Here is condition:
    "Condition": {
    "ForAnyValue:StringEqualsIgnoreCase": {
    "s3:ExistingObjectTag/groups": "${aws:PrincipalTag/groups}"
    }
    }

  • @Viet100
    @Viet100 2 ปีที่แล้ว

    I cannot get the IdentityID. Any special setup on Headers tab at Postman?

  • @flashliqu
    @flashliqu ปีที่แล้ว +1

    How do you config the postman to get the token?

  • @asifkalam9190
    @asifkalam9190 3 ปีที่แล้ว +2

    What url are you using in POST request for getId

  • @yustiono
    @yustiono 3 ปีที่แล้ว

    This is very awesome. Welldone, Mahmoud and AWS!

  • @PriyankRupareliya
    @PriyankRupareliya 9 หลายเดือนก่อน

    This is treasure. Thank you !

  • @sukuranbo
    @sukuranbo 2 ปีที่แล้ว

    Thank you for this tutorial. Really practical for my use cases. May I ask, in your Id Token, you hard department and clearance as the key names. I assume that's from the User pool custom attributes? I tried doing this my Id token was able to include this. However, the keys included "custom:" in the name, like "custom:department":"Sales". How did you manage to just get "department":"legal"? Was this done via the pre-token lambda or something else??? Thanks in advance.

  • @TheBalancedAmerican
    @TheBalancedAmerican 3 ปีที่แล้ว

    Great Video! Question: Is it possible to define PrincipalTag mapping in a Cloudformation or SAM template?

  • @manishpal2703
    @manishpal2703 3 ปีที่แล้ว +2

    Here he is getting department, & clearance in token . As far as I know, it is not in-built attributes and if it custom, then it should be custom:department & custom:clearance in JWT token.

  • @ofabio1
    @ofabio1 2 ปีที่แล้ว

    Thanks for sharing with us!

  • @sethbrokalis9824
    @sethbrokalis9824 2 ปีที่แล้ว

    Are there any security concerns with this of users modifying the request so that their department/confidentiality level is different?

  • @thantzintun8477
    @thantzintun8477 2 ปีที่แล้ว

    whats replaced at variable {{cognito-identity-regional-endpoint}} in your postman request?

  • @kufena
    @kufena 3 ปีที่แล้ว +4

    I'd like to know how to add these mappings of principle tags to my cloudformation/SAM template? I declare the schema for the user pool, a user pool client, and the use these in as the provider for the identity pool. But I can't see a way of declaring these tags, so that I can use them in my identity role. Any suggestions?

    • @sloopyfari
      @sloopyfari 3 ปีที่แล้ว

      Any update on this? Is it possible to define those tags using cloudformation?

    • @kufena
      @kufena 3 ปีที่แล้ว

      @@sloopyfari Nope - can't see that there's any way to do this as yet. There's an AWS::Cognito::UserPoolIdentityProvider thing, which has some kind of attribute mapping, but I don't think it has anything to do with these tags, and seems to be for federated providers like facebook or google.

  • @antorixico
    @antorixico 3 ปีที่แล้ว +2

    Rules or roles?, I'm a little confused

  • @vaibhavtripathi-m7m
    @vaibhavtripathi-m7m ปีที่แล้ว

    what is the exact URLs for Cognito Identity regional endpoint, used to fetch credentials??

    • @awssupport
      @awssupport ปีที่แล้ว

      Hi, Vaibhav. 👋 The technical nature of your query is slightly outside our support scope on this platform. Check out our available resources to get some assistance with this: go.aws/get-help. 🤓 ^RW

  • @lute248
    @lute248 2 ปีที่แล้ว

    I'm using AWS academy account (formerly AWS educate) and currently i'm not permitted to create any IAM role (i'm prompt an error message sayng i'm not authorized). What the alternative solution if i want to set up fine-grained access
    control permissions involving uploading files to an S3 bucket, invoking Lambda functions to execute my app's business logic and accessing the database for data storage and retrieval without the use of IAM roles?

  • @chayanontpotawananont9317
    @chayanontpotawananont9317 3 ปีที่แล้ว +5

    where can i find cognito-identity-regional-endpoint ?

    • @alecsaunders8799
      @alecsaunders8799 3 ปีที่แล้ว

      This doc shows all of the endpoints for each region (docs.aws.amazon.com/general/latest/gr/cognito_identity.html). It's still not working for me though. Does anyone know if I need to add a path to the end (i.e. endpoint/getid or something)?

    • @naveenkhanna4564
      @naveenkhanna4564 3 ปีที่แล้ว

      @@alecsaunders8799/ Any luck on this ?

    • @badam1111
      @badam1111 3 ปีที่แล้ว +3

      It’s a bit confusing, but the regional endpoints can be found here - docs.aws.amazon.com/general/latest/gr/cognito_identity.html, however you still need to properly configure your request to get a 200 response, which includes setting the custom headers for AWS shown in this example: docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html#API_GetId_Examples (X-AMZ-TARGET: com.amazonaws.cognito.identity.model.AWSCognitoIdentityService.GetId)

    • @s80275
      @s80275 2 ปีที่แล้ว +1

      @@badam1111 This step took me a half-day!!!

    • @dishothamsuvarna2714
      @dishothamsuvarna2714 ปีที่แล้ว

      @@badam1111 Can you share what all needs to be added in the Headers section in Postman for this to work?

  • @MrRokkit
    @MrRokkit 2 ปีที่แล้ว

    15:10 Why does Cognito force you to pass the *id_token* (rather than the access_token)?
    For whatever reason (if anybody knows please share) the access_token doesn't contain an *aud* claim, so can't be used to authenticate.

  • @mauriceolum1540
    @mauriceolum1540 3 ปีที่แล้ว +2

    Awesome!

  • @ganesh221b
    @ganesh221b 3 ปีที่แล้ว

    This was useful, awesome video! Thank you :)

  • @abhaymendiratta9187
    @abhaymendiratta9187 3 ปีที่แล้ว

    post request give unkown operation exception

  • @naseerahmedkhan4474
    @naseerahmedkhan4474 3 ปีที่แล้ว

    you are a god

  • @nathansiva-wt5rb
    @nathansiva-wt5rb 3 ปีที่แล้ว +5

    Thank you but I have difficulty differentiating your accent wrt "role" and "rule". They sound the same....

    • @vibinaravindakshan719
      @vibinaravindakshan719 2 ปีที่แล้ว

      Wow! the presenter has done a fantastic job explaining complex access control, and instead of applying your mind to understand, you criticize his "accent".

    • @HussainMohammedAshruf
      @HussainMohammedAshruf 2 ปีที่แล้ว

      Rule means upon a condition assign/assume a Role. Role refers to predefined/create an IAM Role.

  • @antorixico
    @antorixico 3 ปีที่แล้ว +1

    Please, can you add subtitles? The autogenerated ones don't help much and is hard to get your accent