I'm working on a nodejs application on AWS for the first time and am still learning all the services. I'm working on my applications authentication and authorization and am at the point to create my user roles and groups. Is the AWS IAM service meant for both AWS management and for your application's user authorization or should I use one of nodejs's ACL modules and manage my roles and users outside of AWS IAM service?
Should you use AWS IAM roles and permission for application users?
No, you should not. AWS IAM roles and permission control AWS user/instance access to AWS services only via EC2 user profiles and instances. They are not intended to be used for specifying user authentication or roles in a proprietary application.
Should I use one of nodejs's ACL modules and manage my roles and users outside of AWS IAM service?
Yes, correct. Use native methods/libraries for managing application specific user authentication and roles in your app.
With the rise of API gateway and lambda, I'm wondering if this advice still holds true.
i have a very simple API in node, which is pretty much just ACL around storing a blob of JSON in mongo.
If i could model my permissions in IAM and use a lambda function for handling the mongo write/read, it would seem sensible to use IAM for my application user creds.
Possibly this is what Cognito was released to support? (although i haven't looked into this much)
AWS IAM users are used to share your Amazon services with someone (your team for example) without having to disclose your personal password.
One of the key advantages is being able to give admin access to any staff member without allowing it to access your credit card data.
If you need to create a simple authentication module for your application or website (a common case of system with username and password) then you can try using something like PassportJS
Related
I'm creating Node.js server that uses Google Oauth2 for authenticating users. I have my project in my organization created in Google Cloud Platform. And I've setup Oauth2, so only users of my organization can be authorized to use the service.
All users will be described as IAM members of project, and so everyone will have a specific role and permissions granted for their role. Users now can be authenticated and authorized in my app with Oauth2 (only users of my organization). The problem is I have no any clue how to retrieve their roles in my project from IAM. At first I used to think I only need to pass specific scopes in authorization methods (I am using Passport.js and GoogleStrategy). But then I realized that it only can be done after user have been authorized with next API request (is that even right?).
I've read IAM API documentation many times but only ended up with methods that allows me to retrieve arrays of presets of roles or policies or testable permissions or something created and used in my project. But I can't see any method allowing me to ask a service to retrieve a specific role and permissions for user (by email or google id) and send it back to me, so my Node server gets to know what this user is allowed to do. Maybe I need to dig somewhere else..
You can use CloudResourceManager service to retrieve a project's IAM policy. This will include project-specific (not inherited) role bindings: accounts (including user's) and their IAM roles:
https://cloud.google.com/resource-manager/reference/rest/v3/projects/getIamPolicy
I am working on a search service.
My Spring Boot search service stands between my internal userbase and my Amazon Elastic Search cluster.
I want to enable fine-grained access control, however I can't rely on AWS IAM as we have an in-house service to manage Authentication and authorization.
Is there any way I can enable fine-grained access control for search without mapping all the users from my system to either IAM, Cognito or Kibana internal database?
The way we addressed this challenge is:
Create roles and assign permissions to roles. This is not as
cumbersome as adding user by user and it can be easily achieved as
in general there should be just a bunch of roles to be used and
re-used. Relevant documentation can be found here.
For each role create one user and map it to that role. Here you can find how to do it.
Create service users to be used by applications
Use service users to impersonate the user (as per step 2) associated to the role we need. User impersonation docs can be found here.
Let the calling application to authenticate with the in-house service and then impersonate the relevant role.
Even if not particularly elegant, this solution works and it's secure.
We have an endpoint that needs to be queried for the pool Id for a given tenant before the user's login request can be sent. What is the best way to "secure" such an endpoint that is open for access by unauthenticated users?
We are using API gateway and lambda functions and serverless framework.
AWS Cognito Identity Pools have an option that may work for you. First, I'll quickly cover the differemt Cognito services, since it's something that confused me when I was first trying to understand Cognito.
At the risk of oversimplifying, AWS Cognito exists to answer two questions:
Who are you? (authentication)
What can you do? (authorization)
Cognito addresses these concerns with two distinct offerings: User Pools (authentication) and Identity Pools (authorization).
You can think of Cognito User Pools as your application's user directory. At a high level, User Pools let you handle user registration, authentication, account recovery, and supports authentication with third-party identity providers like Facebook, Google, etc.
Cognito Identity Pools provides a way to authorize users to use various AWS services. You can think of it as a vending machine for handing out AWS credentials. For example, if you needed to give your users access to upload a file to an S3 bucket or to invoke an endpoint in API Gateway, you could do so with an Identity Pool.
Here's a handy illustration to describe what I've outlined above.
Cognito lets you support unauthenticated users in your Identity Pool (instructions here).
So, how does this apply to your question?
You can use Cognito to enable IAM authorization across your entire API, which allows you to leverage the power of IAM to control access to your API. When you enable unauthenticated user access in Cognito, guest visitors to your site will be assigned to the unauthenticated IAM user role. Users that log in to your site will be assigned to the authenticated IAM user role. You can attach IAM policies to these roles that define what each role has access to.
For example, you might want to restrict unauthenticated users to certain API endpoints. On the other hand, authenticated users might get access to invoke all API endpoints in your application.
I want to set up a web service which will manage few resources on a user's behalf (on his own AWS account).
So basically, after a user logs in, he will provide my service with proper permission to access his account. I've noticed similar services (https://www.dashbird.io/), which instruct you on how to create a proper role, but I'm not sure on how to actually use the role. How to login on his behalf (there is no token nor password).
I'm using node.js, but other examples will help as well.
Thanks.
Your application will need valid credentials to access resources in your customer's AWS Account. Theses credentials can be provided in various ways, but they would most probably be either:
Credentials for an IAM User in your customer's account, or
An IAM Role in your customer's account, which they have configured to allow you to assume
IAM User
This is the simplest method. Your customer would create an IAM User and provide it with appropriate permissions. They would then supply your application with the Access Key and Secret Key associated with the User.
Your application would use those credentials when establishing a session with AWS services.
IAM Role
Your customer would create an IAM Role and provide it with appropriate permissions. Unlike an IAM User, an IAM Role does not have credentials. Rather, an AWS User assumes a Role. They are then provided with temporary credentials that can be used to use AWS services in that account.
Think of it like a Fire Warden -- if there is a fire in an office building, somebody temporarily assumes the role of Fire Warden, telling people what to do. When there's a fire, they have authority because they assumed the role. But when there's no fire, they have no authority to tell you what to do.
The customer would need to configure the Role to trust your Account, or a User in your account. They will then give you the ARN (Amazon Resource Name) of the Role. Your application then uses an IAM User in your own Account to call AssumeRole(). If that IAM User (or your whole account) is trusted, then you will receive back credentials for accessing your customer's account.
See:
Creating a Role to Delegate Permissions to an IAM User
AssumeRole
I am developing a mobile app game with Unity and I am currently implementing the AWS NET SDK, for Cognito Sync, to allow players to keep their save data online in case they reinstall the app or switch phones.
I have a concern with the security for Cognito Sync, as it seems it only requires that I give it an identity pool id for it to automatically connect to the Cognito Sync service; while I am using the guide in the documentation as a reference.
This worries me as I could imagine that it would be easy to reverse-engineer the identity pool id in order to then use it in a rogue app without having to pay for hosting, while receiving potentially huge bills for me.
Does AWS Cognito have any built in mechanism to prevent this? If not, how would I go about preventing it myself?
Thank you.
I would like to clarify one thing before starting my actual answer. Cognito Sync APIs are authenticated APIs and can only be called with valid developer AWS credentials of temporary AWS credentials from Cognito Federated Identity service.
Your identity pool id is used with the Cognito Federated Identity service to get temporary credentials. These temporary credentials are vended based on the type of identity you generate. Authenticated identities are the identities which first use one of the supported authentication provider and then the get credentials. Unauthenticated or guest identities directly communicate with service to get temporary credentials. The privileges associated with these credentials are derived from the corresponding role that developers configure for an identity pool.
The recommended approach to build secure applications is to make sure that you use the authenticated identities in your app. Unauthenticated roles should only be used for granting read only access if required.
I hope this makes sense. You can read more about these concepts in our dev guide.