AWS Cognito角色:区分联合身份池角色和用户池组角色 [英] AWS Cognito role: Distinguish between Federated Identity Pool roles and User Pool Group roles
问题描述
我有一个应用程序,我希望两种类型的用户属于同一用户池.他们都使用相同的AWS Cognito联合身份池进行身份验证.第一种类型的用户Manager应当能够查看其组中的所有其他用户并更改其属性.第二种类型,雇员,应该只能看到/更改自己的属性,更改自己的密码,忘记自己的密码等.我想这种特殊情况需要一些策略魔术"来创建2个角色,每个角色具有不同的级别权限.我认为每个角色将被分配到一个不同的组,而Manager组将获得更多的权限.但是我对联合身份池和用户池组中角色分配的冗余感到困惑.
I have an application wherein I want 2 types of users to belong to the same User Pool. They all authenticate using the same AWS Cognito Federated Identity Pool. The first type of user, Manager, should be able to see all of the other users in their group and change their attributes. The second type, Employee, should only be able to see/change their own attributes, change their own password, forget their own password, etc. I imagine this specific case requires some policy "magic" to create 2 roles, each with different levels of permissions. I figure that each role would be assigned to a different group, with the Manager group getting more power/permissions. But I am confused by the redundancy of role assignments in both Federated Identity Pools and User Pool Groups.
- AWS Cognito联合身份池具有3个角色说明符:未经身份验证的角色",经过身份验证的角色",对于身份验证提供程序,则为经过身份验证的角色(选择)".
- AWS Cognito 用户池组允许您指定 IAM 角色.
就权限而言,身份池和组之间的关系是什么?
What is the relationship between Identity Pools and Groups in terms of permissions?
推荐答案
如果您正在使用组并将角色附加到组,则可以选择使用令牌中提供的角色.默认情况下,每次登录时都会使用经过身份验证的角色(如果已激活,则为未经身份验证的角色).您可以通过以下方式更改此行为:打开联盟身份池,然后在认知用户池(我认为是您的身份提供者)下更改此设置..
If you are using groups and attaching roles to them you can then choose to use the role that is provided in the token. By default the authenticated role (or unauthenticated role if you have it activated) is used whenever you log in. You can change this behavior by opening your federated identity pool and changing this setting under cognito user pool (which i assume is your identity provider).
选择从令牌中选择角色"以使用您附加到用户所属组的角色.
Select "choose role from token" to use the role that you have attached to the group that the user belongs to.
这篇关于AWS Cognito角色:区分联合身份池角色和用户池组角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
