diff --git a/helpers/cognito_quick_group.sh b/helpers/cognito_quick_group.sh new file mode 100755 index 0000000..a6a23a2 --- /dev/null +++ b/helpers/cognito_quick_group.sh @@ -0,0 +1,50 @@ +#!/bin/bash +set -e + +echo -e "Checking if the platform has been setup..\n" + +## Retreive Cognito Details +USER_POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id') +if [ -z $USER_POOL_ID ]; then + echo "No user pool found. Ensure the platform has been setup first." + exit 1 +fi + +##App client id +IDENTITY_POOL_ID=$(aws cognito-identity list-identity-pools --max-results 20 | jq -r '.IdentityPools[] | select(.IdentityPoolName == "gurum_idp") | .IdentityPoolId') +if [ -z $IDENTITY_POOL_ID ]; then + echo "No identity pool found. Ensure the platform has been setup first." + exit 1 +fi + +# MODIFY TRUST POLICY JSON +MYDIR="$(dirname "$(which "$0")")" +sed "s/###RESERVED_FOR_QUICK_GROUP_SCRIPT###/$IDENTITY_POOL_ID/g" $MYDIR/group_trust_policy.json > $MYDIR/group_trust_policy.deploy + +# USER CREATION +echo "Enter a group name:" +read GROUP_NAME + +## Create the IAM Role +ROLE_NAME="gurum-$GROUP_NAME-role" +ROLE_ARN=$(aws iam create-role \ + --path '/gurum/groups/' \ + --role-name $ROLE_NAME \ + --assume-role-policy-document file://$MYDIR/group_trust_policy.deploy \ + --description "Gurum Cognito Group Assume Role for $GROUP_NAME" \ + --tags Key=gurum-groups,Value=$GROUP_NAME | jq -r '.Role.Arn') +rm $MYDIR/group_trust_policy.deploy # clean up temporary deploy file + +## Attach IAM role policy +ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account') +aws iam attach-role-policy \ + --role-name $ROLE_NAME \ + --policy-arn "arn:aws:iam::$ACCOUNT_ID:policy/gurum/gurum-group-policy" + +## Create the Cognito Group +aws cognito-idp create-group \ + --group-name $GROUP_NAME \ + --user-pool-id $USER_POOL_ID \ + --role-arn $ROLE_ARN > /dev/null + +echo -e "\n\nSuccess! Group created and mapped to an IAM role." diff --git a/helpers/cognito_quick_user.sh b/helpers/cognito_quick_user.sh index 43aba0a..cd66eac 100755 --- a/helpers/cognito_quick_user.sh +++ b/helpers/cognito_quick_user.sh @@ -4,14 +4,14 @@ set -e echo -e "Checking if the platform has been setup..\n" ## Retreive Cognito Details -POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id') -if [ -z $POOL_ID ]; then +USER_POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id') +if [ -z $USER_POOL_ID ]; then echo "No user pool found. Ensure the platform has been setup first." exit 1 fi ##App client id -CLIENT_ID=$(aws cognito-idp list-user-pool-clients --user-pool-id $POOL_ID | jq -r '.UserPoolClients[] | select(.ClientName == "gurum-client") | .ClientId') +CLIENT_ID=$(aws cognito-idp list-user-pool-clients --user-pool-id $USER_POOL_ID | jq -r '.UserPoolClients[] | select(.ClientName == "gurum-client") | .ClientId') if [ -z $CLIENT_ID ]; then echo "No client id found. Ensure the platform has been setup first." exit 1 @@ -21,21 +21,24 @@ fi echo "Enter a username:" read USERNAME +echo "Enter a valid e-mail:" +read EMAIL + echo -e "\nEnter a password:" read -s PASSWORD ## Create the Cognito user -aws cognito-idp sign-up --client-id $CLIENT_ID --username $USERNAME --password $PASSWORD > /dev/null +aws cognito-idp sign-up --client-id $CLIENT_ID --username $USERNAME --password $PASSWORD --user-attributes Name="email",Value="$EMAIL" > /dev/null ## Assign cognito user to group -GROUP_NAMES=$(aws cognito-idp list-groups --user-pool-id $POOL_ID | jq -r '.Groups | map(.GroupName) | join(" , ")') +GROUP_NAMES=$(aws cognito-idp list-groups --user-pool-id $USER_POOL_ID | jq -r '.Groups | map(.GroupName) | join(" , ")') echo -e "\n\nEnter a group for the user (valid: $GROUP_NAMES):" read SELECTED_GROUP -aws cognito-idp admin-add-user-to-group --username $USERNAME --user-pool-id $POOL_ID --group-name $SELECTED_GROUP +aws cognito-idp admin-add-user-to-group --username $USERNAME --user-pool-id $USER_POOL_ID --group-name $SELECTED_GROUP ## Confirm the user account -aws cognito-idp admin-confirm-sign-up --username $USERNAME --user-pool-id $POOL_ID +aws cognito-idp admin-confirm-sign-up --username $USERNAME --user-pool-id $USER_POOL_ID echo -e "\n\nSuccess! Log-in with your chosen details." diff --git a/helpers/group_trust_policy.json b/helpers/group_trust_policy.json new file mode 100644 index 0000000..600b9d9 --- /dev/null +++ b/helpers/group_trust_policy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "cognito-identity.amazonaws.com" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "cognito-identity.amazonaws.com:aud": "###RESERVED_FOR_QUICK_GROUP_SCRIPT###" + } + } + } + ] +} diff --git a/src/template.yaml b/src/template.yaml index cfa04ce..7ccd95d 100644 --- a/src/template.yaml +++ b/src/template.yaml @@ -120,7 +120,7 @@ Resources: GenerateSecret: false UserPoolId: !Ref UserPool - # Creates a federated Identity pool + # Creates a Federated Identity pool IdentityPool: Type: 'AWS::Cognito::IdentityPool' Properties: @@ -130,11 +130,31 @@ Resources: - ClientId: !Ref UserPoolClient ProviderName: !GetAtt UserPool.ProviderName + # Creates an IAM Policy using Tag Based authorization to dynamically authorize + # cognito federated roles to their resources based on gurum-groups tag. + GurumGroupPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + ManagedPolicyName: gurum-group-policy + Path: '/gurum/' + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: 'Allow' + Action: + - 'codecommit:*' + - 'logs:FilterLogEvents' + Resource: '*' + Condition: + StringEquals: + 'aws:ResourceTag/gurum-groups': '${aws:PrincipalTag/gurum-groups}' + # Create a role for unauthorized access to AWS resources. Very limited access. # Only allows users in the previously created Identity Pool CognitoUnAuthorizedRole: Type: 'AWS::IAM::Role' Properties: + Path: '/gurum/' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: @@ -171,6 +191,7 @@ Resources: CognitoAuthorizedRole: Type: 'AWS::IAM::Role' Properties: + Path: '/gurum/' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: @@ -211,20 +232,6 @@ Resources: - 'cognito-identity:UpdateIdentityPool' Resource: !Sub 'arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}' - CognitoESAccessRole: - Type: 'AWS::IAM::Role' - Properties: - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AmazonESCognitoAccess - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: 'Allow' - Principal: - Service: 'es.amazonaws.com' - Action: - - 'sts:AssumeRole' - # Assigns the roles to the Identity Pool IdentityPoolRoleMapping: Type: 'AWS::Cognito::IdentityPoolRoleAttachment' @@ -237,7 +244,7 @@ Resources: DeploymentRole: Type: AWS::IAM::Role Properties: - Path: / + Path: '/gurum/' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: