AWS Cognito的不同访问级别 [英] Different levels of access for AWS Cognito

问题描述

我正在尝试构建一个Web应用程序，任何注册了facebook的用户都可以访问该应用程序.我想使用AWS Cognito加快用户管理的开发速度.

I'm trying to build a web app that can be accessed by any user that signs up with facebook. I want to use AWS Cognito to speed up the development for users management.

它必须具有3种类型的用户:

It has to have 3 type of users:

• 普通用户-使用Facebook登录的任何用户
• 编辑器-具有不同访问级别(IAM角色?)的用户，他们可以调用普通用户无法调用的特定AWS Lambda函数.
• 管理员-可以修改普通用户的状态以使其成为编辑者或管理员的用户

有人能指出我正确的方向吗?我已经设置了AWS Cognito身份池，但是不确定是否必须设置用户池，或者如何为用户分配不同的角色或策略以使其成为管理员或编辑者(其他用户的访问级别不同)AWS资源)，如果我可以从自己的Web应用程序中获取Cognito的用户列表(仅针对经过身份验证的管理员)，以及如何允许他修改其他用户角色.

Can someone please point me in the right direction? I've set up AWS Cognito Identity Pool but I'm not sure if I have to set up a User Pool or how do I assign a different role or policy to a user to make him an admin or editor (different access levels for other AWS resources), if I can get in my web app the users list from Cognito (only for an authenticated admin) and how do I allow him to modify other users roles.

一些教程，文档或至少简短说明如何执行此操作会对我有很大帮助.

Some tutorial, documentation or at least a short description of how can I do this would help me a lot.

可选:让用户不仅可以使用facebook进行注册，还可以使用电子邮件/通行证进行注册，并且具有相同的功能.

Optional: let users to not only sign up with facebook but also with email/pass, and have the same functionality.

推荐答案

您应该能够使用Cognito联合身份的基于角色的访问控制"功能.这是文档的相关部分: http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

You should be able to use 'Role Based Access Control' feature of Cognito federated identities. This is the relevant part of the doc: http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

如果仅使用Facebook，则可以使用Facebook sub分配适当的角色.

If you are only using Facebook, you can use Facebook sub to assign appropriate role.

如果您在用户池中使用基于用户名和密码的登录，则可以使用组支持并创建编辑者组并分配适当的权限.

If you are using username and password based sign-in with user pool, you can use group support and create editors group and assign appropriate permissions.

与其使用联合身份或用户池来管理管理员，不如直接使用IAM用户，将是一个更好的主意.该IAM用户将具有修改/添加身份池规则或用户池组的完全权限.

Instead of managing Administrators with federated identities or user pool, probably directly using IAM user will be a better idea. This IAM user will have full permission to modify/add identity pool rules or user pool groups.

这篇关于AWS Cognito的不同访问级别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！