I have Cognito user pool in a region(say us-east-1) and Pinpoint in a different region(say us-east-2). When tried to add Pinpoint to the cognito pool in console(go to cognito->manage user pool->click analytics in the left pane), there was no option being displayed for pinpoint since it is in different region. Is there any way that I can connect these two(Cannot implement sign-in sign-up in front end as we are already using AWS login/sign-up). It would be helpful if you could suggest a way I can do this. Thanks
At the time (August 30th 2020) of writing this answer, Amazon Pinpoint service is not yet supported in Ohio us-east-2
This explains why you won't be able to see any pinpoint project in the dropdown menu of Cognito userpool console (General settings-> Analytics in the left pane)
Looking at the Amazon Pinpoint documentation it states:
In regions where Pinpoint is not available, Cognito UserPools only supports sending events to Amazon Pinpoint projects in us-east-1. In regions where Pinpoint is available, Cognito User Pools will support sending events to Amazon Pinpoint projects within that same region.
This means that: For example if you have a Cognito UserPool in eu-west-1 then you can use a Pinpoint project in eu-west-1 (a region where Pinpoint is not supported) however if your Cognito UserPool is in us-east-2 (a region where Pinpoint is not supported) then you'll need to use a Pinpoint project in us-east-1 in-order to capture events.
Sample illustration below:
Related
I have a small question regarding Cognito authentication and S3. I tried to connect external S3 and Cognito instances to Amplify (Not managed by Amplify, I created manually). In the system, we can upload files to the S3 bucket and view them. I use Amplify JS's Storage class to do all this. The thing that got me confused is that when I give S3 permissions to the Cognito Auth_Role, my users cannot upload or view any files even-though they are logged into the system. When I give permission to the Unauth_Role, it works. Any idea why?
I have an app that uses the AWS SDK iOS 2.9.10 to login an AWS IAM user to his/hers AWS S3 account. I would like to be able to assess whether the user has read/write access to various S3 buckets under the account. Basically, I would like to programmatically do this:
aws iam list-user-policies --user-name IAM_User_Name
aws iam get-user-policy --user-name IAM_User_Name --policy-name IAM_Policy_Name
Using these outputs to know which S3 bucket to which IAM user has access, I could then check the Action field in the IAM policy if it allows permission like "s3:GetObject" or "s3:" and resource field contains the value as "arn:aws:s3:::examplebucket/" or "*". If both applicable then IAM user has permission to the S3 "examplebucket".
However, I am unable to figure out if this kind of IAM access is possible programmatically using AWS SDK iOS (Swift or Objective-C) so any help would be very useful.
I think this feature is not provided by the AWS SDK iOS since there is an open issue on GitHub which was closed unanswered. [1]
Instead, you can query the service directly using the service's so called IAM Query API [2].
AWS states that:
AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to IAM and AWS. For example, the SDKs take care of tasks such as cryptographically signing requests (see below), managing errors, and retrying requests automatically. For information about the AWS SDKs, including how to download and install them, see the Tools for Amazon Web Services page.
Unfortunately the iOS SDK is not officially supported by the IAM service. That is why the IAM service endpoints are not included in the iOS SDK. You could try to open another feature request on GitHub though...
If you decide to implement the HTTP client and proper request signing manually, you can use the IAM commands which you mentioned above (in AWS terms called "Actions"), e.g. the ListUserPolicies action [3].
Suggestion for Improvement
I could then check the Action field in the IAM policy if it allows permission like "s3:GetObject" or "s3:" and resource field contains the value as "arn:aws:s3:::examplebucket/" or "*". If both applicable then IAM user has permission to the S3 "examplebucket".
If you want an approach which is more robust, I would suggest to use the IAM Policy Simulator API. [4]
References
[1] https://github.com/aws-amplify/aws-sdk-ios/issues/496
[2] https://docs.aws.amazon.com/IAM/latest/APIReference/Welcome.html
[3] https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html
[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies-simulator-using-api
I've followed the instruction for uploading file to S3 in US region and succeed, with AWS SDK in Unity.
Now, I want to do the same to HK (ap-east-1), but I found that there's no Cognito available in HK region yet. Using the Cognite from US region seems give me an access deny.
Is there a workaround? I think I can create a IAM user but the Unity SDK only take Cognite pool ID...
I have my app published on PlayStore. I am getting this warning on my Play Console that my AWS Credentials have been exposed and i won't be able upload new apk after 12 November 2018 if the problem persists. I use the credentials for uploading images to Amazon S3. The credentials are hard coded right now.
So i need to know what should be the way to rectify this.
Thanks in advance.
Amazon have a whole blog post on dealing with this problem, and a page on best practices.
Essentially you need to revert the old credentials, and use Amazon Cognito to control access.
An updated link on cognito lives here
I'm trying to implement AWS-Amplify in a React Native app so that events can be sent to Pinpoint for analytics. A user doesn't need to be signed in to use the app, so they would be unauthenticated with Cognito.
I am noticing that the identity of the unauthenticated user doesn't seem to persist, so when I close or uninstall the app, a new identity id is generated when I launch the app. The docs suggest that this should be cached, but it seems the cache is clearing out when using AWS Amplify.
Is there a way to set or reuse an identity id for a returning unauthenticated user on AWS-Amplify or Cognito so new identity ids don't get assigned ?
I looked through amazon-cognito-identity-js to see if there was a way to do this with an unauthenticated user and wasn't able to find what I am describing: see here.
I'm new to AWS Amplify/Cognito/Pinpoint in general, so any thoughts or suggestions to do something similar would be greatly appreciated!
This is a known issue in the AWS Amplify and should have been fixed in the latest version.