I need some help understanding the options for handling the following scenario:
I have created a serverless service which creates a Cognito User Pool and API endpoints etc. I have two web apps which access the same user pool and API endpoints: a user app and an admin app. I have protected the API endpoints using a Cognito authorizer. So far so good. However, some of the endpoints should be accessible only via the admin app and only admins should be able to log into this app. What are my options for handling this scenario using AWS services/Serverless Framework?
I have already experimented with using AWS IAM authorization which would seem to be one option but I found it very cumbersome to set up (esp the AWS Sig v4 part) and I suspect it is overkill for my needs. I can’t see how I might use a Cognito authorizer as these don’t appear to distinguish between different groups of users in the user pool. I’m wondering whether I could use an API key to protect the admin endpoints whilst continuing to use a Cognito authorizer for the user endpoints? Can the two be combined in one serverless service? And how could I restrict authentication in the admin app to just admins?
I realise this is a common problem so I’m sure there must be some good options out there. Any pointers much appreciated
I’ve used custom user attributes in Cognito User Pool.
- Add a custom attribute that dictates wether or not a user is an admin
- Configure read/write permissions to expose it to your lambdas
- Should be accessible under the context object, in the properties context.authorizer.claims.yourAdminAttribute
Thanks very much for this suggestion, Robert.
I may have misunderstood but I think that if I take this approach I would be restricting access at the lambda level rather than at the API Gateway. I imagine that this is a less secure approach, although I don’t know enough about the security side to know just how much of an issue this might be. In the context of the project I’m currently working on, this might be a tradeoff I’m willing to make but I’d be very interested to hear from anyone who knows more about the security implications here.
Correct, it’s prone to another layer of developer error when it comes to access restrictions.
Otherwise your initial approach sounds safe, albeit a bit more cumbersome.
If you can live with two separate logins and pools for admins and non-admins, that could be another approach
Another option would be to have two separate pools, but have a lambda layer that checks the (hashed preferably) email to know which pool it should authorize with.