问题
I'm trying to build a web app that can be accessed by any user that signs up with facebook. I want to use AWS Cognito to speed up the development for users management.
It has to have 3 type of users:
- Normal users - any user that logs in with facebook
- Editors - users that have a different access level (IAM role?), they can call a specific AWS Lambda function, that normal users can't call.
- Administrators - users that can modify the status of normal users to make them editors or admins
Can someone please point me in the right direction? I've set up AWS Cognito Identity Pool but I'm not sure if I have to set up a User Pool or how do I assign a different role or policy to a user to make him an admin or editor (different access levels for other AWS resources), if I can get in my web app the users list from Cognito (only for an authenticated admin) and how do I allow him to modify other users roles.
Some tutorial, documentation or at least a short description of how can I do this would help me a lot.
Optional: let users to not only sign up with facebook but also with email/pass, and have the same functionality.
回答1:
You should be able to use 'Role Based Access Control' feature of Cognito federated identities. This is the relevant part of the doc: http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
If you are only using Facebook, you can use Facebook sub to assign appropriate role.
If you are using username and password based sign-in with user pool, you can use group support and create editors group and assign appropriate permissions.
Instead of managing Administrators with federated identities or user pool, probably directly using IAM user will be a better idea. This IAM user will have full permission to modify/add identity pool rules or user pool groups.
来源:https://stackoverflow.com/questions/42555924/different-levels-of-access-for-aws-cognito