I deployed a user pool in Cognito which now needs additional custom attributes. These can't be added after the fact. Is it possible to now move those users from the old user pool to a new user pool? I saw mention of using a Lambda to do this, but seems like a fairly common case and Lambda seems unnecessarily complicated when you just want to export/re-import user data especially between user pools in the same AWS account.
Related
In aws cognito we can use multiple user pools , is there anything similar in Supertokens , I could not find related to storing users in different collection / pool is the documentations
SuperTokens doesn't support multiple user pools at the moment (as of 11th June, 2022). However, it is on the roadmap.
In the meantime, you have the following options:
You can spin up one instance of the core, per user pool, connected to its own db. You would also need to spin up one backend server to connect to one instance of the core.
You can simulate a user pool by modifying the primary key identifying the user. For example, let's say you have two user pools (p1 and p2), and you are using email password login, where the email is the primary identifying info of a user. You can override the backend recipe functions to modify the email being sent to supertokens core to include the pool ID. So for example, if a user's email is user1#example.com, then you could change it to user1+p1#example.com if they belong to user pool 1. So this way, even if the user uses the same email in the other app, it would identify them as a different user (their email being user1+p2#example.com in pool 2). Whilst this approach may be slightly more complex to implement, it requires just one core, connected to one db.
I'm quite new to the entire auth design and am still trying to understand how to use keycloak for authentication and authorisation.
Currently from what I understand in order to have authorisation enabled for a client you will need to have it in confidential.
After which I am kind of stuck in terms of how to set which policy for which permission.
I have a few types resources but currently placing them all under a single client for simplicity sake.
For my use case I have a workspace for users. So each workspace can have multiple users with different roles of owner,editor,viewer. And within the workspace there are artifacts. So it is some what like designing an authorisation for Google drive.
Would like some advice on how best to design it.
One way I have thought of is using groups and each workspace is a group. Using it to assign users to each group as a way to use the group policy for permission.
The other is really by creating multiple policy and permission for each artifact/resource and adding user to each policy for each workspace.
Would like any advice on authorisation design or even where to begin reading.
After some research I have come to these conclusion.
Yes these can be done by keycloak though most likely shouldn't be done in keycloak itself for its design.
Keycloak itself will most likely be more suitable in terms of authenticating/authorising on services or infra level. So this use case of having user be able to access workspaces or artifacts will be better done in application level having a separated service to handle the permission itself.
That being said if it really needs to be done in keycloak the design that I thought of that is not so scalable is as follow.
Create a policy/user and each workspace/artifact as a single resource. Depending on how many types of access/fine grain control is needed for each type of resource create the scope for each (e.g workspace:view, workspace:edit...). Then create a permission for each resource&scope. This allows fine grain access of basically assigning user to permission of each resource through the user policy.
But of course this design has its flaws of the need of too many policies, permissions and resources so it is better to have keycloak just handle the authentication part and authorisation is just giving users the role to be able to access a service and through the service check if the user is authorised for a certain action.
I have a user pool in my Amplify project that has a single custom field configured incorrectly. Because you can't edit or delete the fields, my plan is to recreate the user pool. The app isn't in production yet so having some downtime is ok.
My question is, what is the cleanest way to recreate a user pool within the Amplify CLI? I need it to be identical in every way except for that single custom field. When I attempt to remove the auth category it throws an error because of the admin query API and my lambda functions.
Ideally I wouldn't have to run through the steps of creating it, my current configuration would be used.
Any ideas?
Thanks!
I'm not actually trying to clone slack, it's just an analogy
I'm trying to understand how to manage users who have their own account context but can also have a one-to-many context with organizations.
Since I'll have more than 25 organizations user groups don't seem to make sense -- and I'll want users to all be admins in their private context but have assignable roles within the orgs they're members of.
My thought for this was to have a general cognito pool that all users are members of but then federate them into organization's user pools also -- this seems wasteful since I'll be duplicating (or more) all users in different pools, but I'm not sure what other options exist at scale.
This is similar to a slack context
Any insights as to how you'd create pool structures to mirror their configuration would be really helpful.
I have an open source project with several contributors. The project's home page is hosted on Amazon S3. At the moment, the S3 bucket is on my personal account. Only I have access to it, and I pay the hosting (~$5 a month). There are other personal buckets on my account that contributors should not have access to.
I'd like to allow other contributors to modify the site. I'd also like to enable e.g. TravisCI to deploy to the site, which requires extending some credentials to third parties.
Is it necessary to set up a separate Amazon account entirely, or is IAM sufficient for my needs?
If IAM is the way to go, should there be a single IAM user shared among all contributors, or should I create a separate one for each contributor?
Do I need MFA? If so, how to safely distribute TOTP keys?
Any provisions I should make for succession (i.e. bus factor)?
Anything else I should know?
Thanks for any ideas or experiences here.
Is it necessary to set up a separate Amazon account entirely, or is IAM sufficient for my needs?
You should probably have an account for this project that is separate from any accounts you use for purposes unrelated to this project, for clean separation and in case you want to hand over control. What isn't in the account doesn't need to be protected from users who shouldn't see it.
Cross-account privileges are possible, so if others already have accounts, it's possible for you to authorize their existing credentials without knowing their secrets, but it's more complex.
If IAM is the way to go, should there be a single IAM user shared among all contributors, or should I create a separate one for each contributor?
You should absolutely create one for each contributor. That's kind of a no-brainer. Accountability.
Do I need MFA? If so, how to safely distribute TOTP keys?
It depends on your need for the added security. MFA is great and it's also a hassle. But you don't have to (and shouldn't) distribute the MFA secrets for virtual MFA. The user can log in with his/her credentials and create and download that themselves if you allow it.
Any provisions I should make for succession (i.e. bus factor)?
Heh, bus factor. Yes, you probably need a trusted adjutant with a high privilege level. In my accounts we don't actually use the root credentials, ever, but typically two people have a physical copy of the root credentials, though we do sometimes ride together in the same elevator, and we really shouldn't do that.
Anything else I should know?
Read the documentation. It takes a bit of time to sink in, but it takes less time if you get your hands dirty and play with it. Be sure when granting privileges that you verify that things which should not work do indeed not work, not just verify that things which should work indeed do work. But that applies to any authentication and authorization implementation.
Use IAM instance roles in EC2. Even if you can't think of a reason why an instance needs a role, give it one with no permissions anyway, because an instance can only be given a role at launch... yet Formerly, you could only add an IAM role to an instance at launch, but AWS announced on 2017-02-09 that you can now attach an IAM role to an instance after launch. As always, you can change the permissions granted to a role at any time.
Read about user groups. Attach users to groups and policies to groups to simplify granting the same privileges to multiple users.
Unrelated: activate billing alerts for your account to notify you when costs exceed thresholds you select.