Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(cognito-identitypool): update README to encourage least privilege #31811

Merged
merged 12 commits into from
Oct 22, 2024
Merged

chore(cognito-identitypool): update README to encourage least privilege #31811

Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
7ebc8de
Update integ test to check for multiple RoleAttachments
Sep 10, 2024
e1e4538
Rebase with main
Oct 1, 2024
639a76b
Rebase from main:
Oct 1, 2024
b30a4b6
Merge branch 'main' into issue-idp-roleattachment
Leo10Gama Oct 3, 2024
4330138
Merge branch 'main' into issue-idp-roleattachment
Leo10Gama Oct 7, 2024
261a597
Merge branch 'main' into issue-idp-roleattachment
Leo10Gama Oct 7, 2024
673b68a
Merge branch 'main' of https://github.com/Leo10Gama/aws-cdk
Oct 18, 2024
c88b59b
Update readme to ensure least privileges
Oct 18, 2024
cb5196c
clean up changes from another branch
Oct 18, 2024
655a725
Merge branch 'main' into cognito-readme
Leo10Gama Oct 18, 2024
c77eeb9
Merge branch 'main' into cognito-readme
Leo10Gama Oct 22, 2024
207d882
Merge branch 'main' into cognito-readme
mergify[bot] Oct 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions packages/@aws-cdk/aws-cognito-identitypool-alpha/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,8 @@ unauthenticated (guest) roles applied to the identity pool:
new IdentityPool(this, 'myIdentityPool');
```

By default, both the authenticated and unauthenticated roles will have no permissions attached. Grant permissions
By default, both the authenticated and unauthenticated roles will have no permissions attached. When granting permissions,
you should ensure that you are granting the least privileged permissions required for your use case. Grant permissions
to roles using the public `authenticatedRole` and `unauthenticatedRole` properties:

```ts
Expand All @@ -88,11 +89,11 @@ table.grantReadWriteData(identityPool.authenticatedRole);
// Grant permissions to unauthenticated guest users
table.grantReadData(identityPool.unauthenticatedRole);

//Or add policy statements straight to the role
// Or add policy statements straight to the role
identityPool.authenticatedRole.addToPrincipalPolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['dynamodb:*'],
resources: ['*'],
actions: ['dynamodb:UpdateItem'],
resources: [table.tableArn],
}));
```

Expand Down Expand Up @@ -253,7 +254,8 @@ new IdentityPool(this, 'myidentitypool', {

In addition to setting default roles for authenticated and unauthenticated users, identity pools can also be used to
define rules to choose the role for each user based on claims in the user's ID token by using Role Mapping. When using
role mapping, it's important to be aware of some of the permissions the role will need. An in depth
role mapping, it's important to be aware of some of the permissions the role will need, and that the least privileged
roles necessary are given for your specific use case. An in depth
review of roles and role mapping can be found [here](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html).

Using a [token-based approach](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users) to role mapping will allow mapped roles to be passed through the `cognito:roles` or
Expand Down