How can I disable the User from Amazon Cognito User Pool using API ?
I tried to check the API from Amazon and couldn't find one.
Thanks.
There is a specific command for disabling user, please see API reference - API_AdminDisableUser
It looks like it is supported here, https://docs.amplify.aws/cli/auth/admin#admin-queries-api
Related
Can I control access to specific resources in my web application with amazon Cognito?
I would like when performing a Rest authentication to return the specific permissions of which resource of my web application the user can use as: createClient, updateClient, deleteClient, createUser, updateUser, deleteUser.
Can anyone help me with this question?
Yes you can do. You can use role based access control or AWS Lambda Authorizer for this
https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/control-access-to-web-applications-and-mobile-apps.html
https://aws.amazon.com/blogs/compute/evaluating-access-control-methods-to-secure-amazon-api-gateway-apis/
I am pretty sure I saw somewhere in AWS console which can help me increase the session expiration time of logged in user but I cannot find it ... screenshot or guide appreciated
Token expiration is configured for each App client. Go to your user pool -> App Clients -> Choose a specific app client. Like this:
if this is what you need.
I'm using AWS amplify to create an app, where users can upload images using either private or public file access levels, as described in the documentation. Besides this, I've implemented a lambda function which upon request through API gateway modifies an image and returns a link to the modified image.
What I want is that a given user should be able to call the API and modify only his own images, but not that of other users; i.e. allow the AWS lambda function to use the execution role from the cognito user. If I allow the lambda function to access all data in the S3 bucket then it works fine - but I don't want users to be able to access other users images.
I've been at it for a while now, trying different things to no avail.
Now I've integrated the API with the user pool as described here:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
And then I've tried to follow this guide:
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/
Which does not work since the "cognito:roles" is not present in the event variable of the lambda_handler (presumably because there are not user pool groups?).
What would the right way be to go about this in an AWS Amplify app?
Primarily, I've followed this guide:
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/
Use API Gateway request mapping and check permissions in Lambda itself:
Use API Gateway request mapping to pass context.identity.cognitoIdentityId to Lambda. Just it should be a Lambda integration with mapping (not a Proxy integration). Another limitation is that API request should be POST, for GET it's also possible if you map cognitoIdentityId to query string.
Lambda has access to all files in S3
Implement access control check in Lambda itself. Lambda can read all permissions of the file in S3. And then see if owner is Cognito user.
I try to use AWS lambda. I don't want to use any authentication - it is a simple test function. I receive
{
"message": "Missing Authentication Token"
}
Is it possible to use AWS API without Authentication Token?
Thanks in advance.
Yes, it's possible. You can configure if you want to use Authorization, Request Validator or API key for each resource you created.
Also make sure you invoke the right URL and path of your API, because I had the same issue when I tried to trigger an undeclared path.
Yes, you can create it without Authentication. It means it will default execution role. I have a video blog on the same, which creates and run API without any authentication token. Please see the same below,
https://youtu.be/0HwO14p9cjk
Always remember to deploy API after any change :)
I'm trying to add programmatically a "working" AWS account via API.
Actually I'm performing this operations:
Authentication
CreateUser (login)
CreateLoginProfile (password)
When I go on "AWS" console I get an error an if I look to the Accounts linked to the Organization I can't find my new account.
But if I go on https://console.aws.amazon.com/iam/home#/home the user is there.
Do I'm missing something? Is there any difference between USER and ACCOUNT?
Of course USER and ACCOUNT are different. An account contains users and other resources (S3 bucket, EC2 instance).
If you want to create new AWS account, you need to use Organizations API.
See:
create-account in the AWS CLI
CreateAccount documentation