Can I, as an admin, get a user password (which is currently is use) within Cognito? Either through AWS CLI or its Java API?
No, this is not currently possible.
Related
In our project we are using API Gateway to get authenticated by Cognito User Pool.
Now, we are checking instead of hiting API Gateway can we directly hit Cognito for authenticating users.
So, wanted to check if there is any API of AWS cognito-idp admin-initiate-auth to get the tokens without using the CLI command?
Please refer to the link here. You will also find more information about using this API in one of the language-specific AWS SDKs.
For a complete list of all Amazon Cognito API references, refer here
We've implemented AWS SSO authentication with ActiveDirectory, corporate wise, for all our users. We use multiple AWS sub-accounts, so that ActiveDirectory users can connect to different AWS sub-accounts with their AD credentials, according to the AD group association with AWS policies.
This all works pretty well, however, it is not clear to me, how to implement following authorization properly. Some of our accounts have S3 buckets which should be available for all the users authenticated by the SSO, without regards of the user access rights.
What is the right way to organize that?
I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.
Is there any specific way to create a Cognito Identity Pool in a Amazon DynamoDB local setup? I have already setup the javascript shell and created several tables and have queried it. I need to provide a authenticated mode user login (Facebook, Amazon, Google) for my node application. I found several tutorials about how to set it up using AWS DynamoDB, but I need to know how I can create it using a local DynamoDB without accessing AWS DynamoDB.
Amazon DynamoDB local doesn't validate credentials, so it doesn't matter how you set up the Amazon Cognito identity pool or the roles for the pool. You will be able to interact with the CognitoCredentials object the same way if you are using Amazon DynamoDB or DynamoDB local.
It is important to note that you will not hoever be able to validate fine-grained access control unless you use the full service, again because DynamoDB local doesn't validate credentials.
I am writing my own reporting software in Java and planning to use RDS for data storage. I want to do the A.A. with AWS IAM. Is there any example(s) of authenticating and authorizing with AWS Identity and Access Management that you might be aware and share with me?
I am not looking on how to set up the user from Amazon's console or how to issue console commands. Instead I would like to see some Java code how to identify if user is authenticated with his/her credentials (user id, password combination) and whether that person authorized to get access to specific report.
AWS IAM is not designed to authenticate users with your own app. AWS IAM is designed to authenticate users with AWS services.
The only way to see if a user is a real user(authentication) and if that user is authorized is to actually make an AWS API call.
For example, you can create a policy that looks like this and attach it to a user/group:
{
"Statement":[{
"Effect":"Allow",
"Action":["rds:CreateDBSecurityGroup",
"rds:DeleteDBSecurityGroup",
"rds:DescribeDBSecurityGroup",
"rds:AuthorizeDBSecurityGroupIngress",
"rds:RevokeDBSecurityGroupIngress"],
"Resource":"*"
}
]
}
And the user or group who has this policy can only make these API calls and not others.
See here: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
Amazon has something called Cognito which is designed to sync application profiles across mobile devices. What applies to your question, though, is that it also allows users to authenticate with Google, Facebook, or Amazon (it uses OAuth).
http://aws.amazon.com/cognito/