Todo: Outline steps to enable Cognito login and role mapping

[kalleeh]

We need to clarify the steps around creating the initial users and groups and IAM role mappings through cognito federated identities for first setup users.
We don't want to build a user management system in the API since this should use the default Cognito API's but we should provide configuration steps.

Something like;

1. Create Cognito user.
2. Create Cognito group for each Platform Tenant.
3. Create IAM Role with correct CloudWatch Logs Read-permissions (right log groups). Add the right trust permissions on the IAM role.

{
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "eu-west-1:b3df4e00-5aea-4e69-8b60-85ec38731d17"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }

4. Map Cognito group login to the IAM role created in step 3.
5. Go into Cognito Federated Identities and go to Authentication providers, Cognito. Under "authenticated role selection" select "choose role from token" and "use Authenticated role".

[shendriksen]

+1

[shendriksen]

It looks like the majority of this work has already been done. We have a script within 'helpers' that creates a user quickly. We also have the steps listed in the documentation. The 'groups' have not been automated yet but we can create a separate task for that if we want to work on this sooner (I don't think it's as important for now).

[kalleeh]

Tightly linked with #32