I want to modify aws-auth.yaml and add one Kubernetes user under mapRole section. I wonder if I can attach multiple EKS user to the same IAM role for authentication. Will that work ?
Related
I configured LDAP authentication to argoCD. But all users in RBAC have read access by default. I assigned admin access to particular group. But not able to assign individual roles to particular users in LDAP. Please suggest
I have Cognito user pool and deferent App clients for different usage is there a way I can restrict App client so it can support login but not sign up functionality?
Aws Cognito- Only allow admins to create users
During setup you can change the setting or update the existing setting so that only admins can create users
I want to restrict access to an AWS S3 bucket so that new objects can only be created by users who have authenticated through a specific Cognito User Pool. Looking through the AWS documentation I can't work out how to specify the user pool as a principal in the policy. Can anyone help me with this?
If this isn't possible then I'd appreciate some pointers/guidance which might help me achieve the desired result using some other technique. Thanks.
I think a User Pool will not allow you to do this, seen as you only get an access token for an authenticated entity. You'll probably need to create an identity pool, which allows users in your user pool to retrieve temporary IAM credentials. In the identity pool, you can also configure the role these logged in users get with their temporary credentials. You can use these roles to restrict access to the S3 bucket to only those authenticated users.
In the example below, you can see the settings of an identity pool configured with a Cognito user pool as authentication provider. It will either use the default roles configured on top (big red rectangle) or you can choose a custom role for the Cognito authentication provider (small rectangle). All roles can be managed using IAM.
We've implemented AWS SSO authentication with ActiveDirectory, corporate wise, for all our users. We use multiple AWS sub-accounts, so that ActiveDirectory users can connect to different AWS sub-accounts with their AD credentials, according to the AD group association with AWS policies.
This all works pretty well, however, it is not clear to me, how to implement following authorization properly. Some of our accounts have S3 buckets which should be available for all the users authenticated by the SSO, without regards of the user access rights.
What is the right way to organize that?
I am looking into using AWS-Cognito as a means to manage and authenticate users. I do not want to use aws api-gateway or any of their other services really. It seems though you can only create roles or policies if they are related to some other aws service. I'd like to have these custom roles or policies on the user's id token returned from Cognito. Is it possible to create these custom roles or policies or am I restricted to only roles and policies related to amazon services? I have found tried the Create your own policy, but it throws an error if it doesn't match a specific action or resource known to aws services. Thanks.
You can use Cognito User Pools to authenticate your users. Then you can call STS to issue temporary credentials based upon your own rules (policies). Look into examples using assumeRole().
If you want an integrated / managed service then use Cognito Federated Identities for authorization and Cognito Users Pools or Google, etc. for authentication.
Sort of confusing, but think of Cognito User Pools (or Facebook, etc.) as the Identity Provider and Cognito Federated Users as the Permissions broker.