AWS Cognito角色:区分联合身份池角色和用户池组角色


我有一个应用程序,我希望两种类型的用户属于同一用户池.他们都使用相同的AWS Cognito联合身份池进行身份验证.第一种类型的用户Manager应当能够查看其组中的所有其他用户并更改其属性.第二种类型,雇员,应该只能看到/更改自己的属性,更改自己的密码,忘记自己的密码等.我想这种特殊情况需要一些策略魔术"来创建2个角色,每个角色具有不同的级别权限.我认为每个角色将被分配到一个不同的组,而Manager组将获得更多的权限.但是我对联合身份池和用户池组中角色分配的冗余感到困惑.

I have an application wherein I want 2 types of users to belong to the same User Pool. They all authenticate using the same AWS Cognito Federated Identity Pool. The first type of user, Manager, should be able to see all of the other users in their group and change their attributes. The second type, Employee, should only be able to see/change their own attributes, change their own password, forget their own password, etc. I imagine this specific case requires some policy "magic" to create 2 roles, each with different levels of permissions. I figure that each role would be assigned to a different group, with the Manager group getting more power/permissions. But I am confused by the redundancy of role assignments in both Federated Identity Pools and User Pool Groups.

  • AWS Cognito联合身份池具有3个角色说明符:未经身份验证的角色",经过身份验证的角色",对于身份验证提供程序,则为经过身份验证的角色(选择)".
  • AWS Cognito 用户池组允许您指定 IAM 角色.


What is the relationship between Identity Pools and Groups in terms of permissions?


If you are using groups and attaching roles to them you can then choose to use the role that is provided in the token. By default the authenticated role (or unauthenticated role if you have it activated) is used whenever you log in. You can change this behavior by opening your federated identity pool and changing this setting under cognito user pool (which i assume is your identity provider).


Select "choose role from token" to use the role that you have attached to the group that the user belongs to.