如何在Cognito中使用自定义权限
我正在寻找有关如何在AWS Cognito中存储自定义权限的建议.
I am looking for advice on how to store custom permissions in AWS Cognito.
如果我们将用户存储在Cognito中并设置例如2个组(角色):
If we store users in Cognito and setup for example 2 groups(roles):
-
admin -
只读
并想为组/角色分配一些权限:
And would like to assign some permissions to the group/role:
-
users/create -
用户/删除 -
用户/读取
因此这些在令牌中可用.
So these are available in the token.
是否可以使用Cognito进行这样的细粒度授权,还是应该以其他方式实现?例如,在我们查询以获取用户权限的数据库中,而无需使用Cognito?
Is it possible to do fine grained authorization like this with Cognito or should this be implemented in another way - for example in a database where we query to get the users permissions without using Cognito for this?
有什么帮助吗?
使用Cognito当然可以.您可以按照提到的方式创建2个组,即admin和只读.每个组都有一个与之关联的单独角色,您可以向其分配必要的策略.之后,创建一个cognito身份池并将您的用户池链接到该池.在认证提供者下,确保选择从令牌中选择角色".对于角色解析,您可以选择为其赋予默认角色或仅授予DENY访问权限.
It is certainly possible with Cognito. You can create the 2 groups as you mentioned, admin and read-only. Each group has a separate role associated with them to which you can assign the necessary policies. After this create a cognito identity pool and link your user pool to it. Under Authentication providers make sure to select "Choose Role from Token". For Role resoltion you can choose to either give it a default role or just DENY access.