I originally setup my Identity Pool with the default roles and in the authenticated role I added the AWS managed AdministratorAccess policy. This worked fine, I receive the temporary credential and CRUD assess to Cognito users, but I need other user groups with different levels of permissions. To get started I setup an Admin group in Cognito User Pools and assigned it the custom fullAdmin IAM role which includes AdministratorAccess.
This is failing when I use both methods in the Identity Pool Authenticated Role Selection. I'm using the AWS console. The error is:
NotAuthorizedException: Unauthenticated access is not supported for this identity pool
For Role resolution I want to use Deny.
If I choose the option to use the default authenticated role with the AdministratorAccess policy then it works, I have admin access, but this means that it is not recognizing my rule or the token methods. That is bad.
I think my code works because the default method works, but not sure. Would my code have to be different to use rules or the token to get the user group?
Maybe I have only this issue:
I'm using AWS Amplify for getting the current user session which includes the access and id tokens.
Auth.currentCredentials()
The docs recommend AWS.CognitoIdentityCredentials. Maybe using the claim cognito:groups in rules or using the token method don't work because the session properties can't be read by the Identity Pool. The objects may be different. I've been trying to setup AWS.CognitoIdentityCredentials to test this but that isn't working in my code so far. AWS can't be imported from the AWS-sdk without creating a mess so I import it from @aws-amplify/core. All my code is setup from that.
In my JavaScript / Angular code this retrieves the group from the ID token:
user.signInUserSession.idToken.payload['cognito:groups'];
For a claim I tried signInUserSession.idToken.payload['cognito:groups'] but that didn't work either. What little info is online gives only cognito:groups as a claim option but that isn't working.
Any ideas either for a solution or troubleshooting?
The answer is simple. I had deleted an Identity Pool and created a new one. However, I forgot that I needed to update the Identity Pool ID in each role in IAM that I use with that Identity Pool.
That means go to the roles you are using in the Identity Pool, click the Trust Relationships tab, edit, and where it says StringEquals be sure you have this key cognito-identity.amazonaws.com:aud and your Identity Pool ID as the value us-west-2:e8340b.....