From 9dadddaa7d9087a567601f6cc11588e93173367a Mon Sep 17 00:00:00 2001 From: Karl Wallbom Date: Thu, 13 Feb 2020 15:41:51 +0100 Subject: [PATCH 1/4] feat: update api to include standard cognito group policy --- src/template.yaml | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/src/template.yaml b/src/template.yaml index cfa04ce..7ccd95d 100644 --- a/src/template.yaml +++ b/src/template.yaml @@ -120,7 +120,7 @@ Resources: GenerateSecret: false UserPoolId: !Ref UserPool - # Creates a federated Identity pool + # Creates a Federated Identity pool IdentityPool: Type: 'AWS::Cognito::IdentityPool' Properties: @@ -130,11 +130,31 @@ Resources: - ClientId: !Ref UserPoolClient ProviderName: !GetAtt UserPool.ProviderName + # Creates an IAM Policy using Tag Based authorization to dynamically authorize + # cognito federated roles to their resources based on gurum-groups tag. + GurumGroupPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + ManagedPolicyName: gurum-group-policy + Path: '/gurum/' + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: 'Allow' + Action: + - 'codecommit:*' + - 'logs:FilterLogEvents' + Resource: '*' + Condition: + StringEquals: + 'aws:ResourceTag/gurum-groups': '${aws:PrincipalTag/gurum-groups}' + # Create a role for unauthorized access to AWS resources. Very limited access. # Only allows users in the previously created Identity Pool CognitoUnAuthorizedRole: Type: 'AWS::IAM::Role' Properties: + Path: '/gurum/' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: @@ -171,6 +191,7 @@ Resources: CognitoAuthorizedRole: Type: 'AWS::IAM::Role' Properties: + Path: '/gurum/' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: @@ -211,20 +232,6 @@ Resources: - 'cognito-identity:UpdateIdentityPool' Resource: !Sub 'arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}' - CognitoESAccessRole: - Type: 'AWS::IAM::Role' - Properties: - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AmazonESCognitoAccess - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: 'Allow' - Principal: - Service: 'es.amazonaws.com' - Action: - - 'sts:AssumeRole' - # Assigns the roles to the Identity Pool IdentityPoolRoleMapping: Type: 'AWS::Cognito::IdentityPoolRoleAttachment' @@ -237,7 +244,7 @@ Resources: DeploymentRole: Type: AWS::IAM::Role Properties: - Path: / + Path: '/gurum/' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: From f52c6e43ea266575bec12e8c9de52d2541ff57d8 Mon Sep 17 00:00:00 2001 From: Karl Wallbom Date: Thu, 13 Feb 2020 16:57:41 +0100 Subject: [PATCH 2/4] feat: add group creation and email attribute --- helpers/cognito_quick_group.sh | 49 +++++++++++++++++++++++++++++++++ helpers/cognito_quick_user.sh | 17 +++++++----- helpers/group_trust_policy.json | 17 ++++++++++++ 3 files changed, 76 insertions(+), 7 deletions(-) create mode 100755 helpers/cognito_quick_group.sh create mode 100644 helpers/group_trust_policy.json diff --git a/helpers/cognito_quick_group.sh b/helpers/cognito_quick_group.sh new file mode 100755 index 0000000..2eac1b9 --- /dev/null +++ b/helpers/cognito_quick_group.sh @@ -0,0 +1,49 @@ +#!/bin/bash +set -e + +echo -e "Checking if the platform has been setup..\n" + +## Retreive Cognito Details +USER_POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id') +if [ -z $USER_POOL_ID ]; then + echo "No user pool found. Ensure the platform has been setup first." + exit 1 +fi + +##App client id +IDENTITY_POOL_ID=$(aws cognito-identity list-identity-pools --max-results 20 | jq -r '.IdentityPools[] | select(.IdentityPoolName == "gurum_idp") | .IdentityPoolId') +if [ -z $IDENTITY_POOL_ID ]; then + echo "No identity pool found. Ensure the platform has been setup first." + exit 1 +fi + +# MODIFY TRUST POLICY JSON +MYDIR="$(dirname "$(which "$0")")" +sed -i.bak "s/###REPLACEIDENTITYPOOLID###/$IDENTITY_POOL_ID/g" $MYDIR/group_trust_policy.json + +# USER CREATION +echo "Enter a group name:" +read GROUP_NAME + +## Create the IAM Role +ROLE_NAME="gurum-$GROUP_NAME-role" +ROLE_ARN=$(aws iam create-role \ + --path '/gurum/groups/' \ + --role-name $ROLE_NAME \ + --assume-role-policy-document file://$MYDIR/group_trust_policy.json \ + --description "Gurum Cognito Group Assume Role for $GROUP_NAME" \ + --tags Key=gurum-groups,Value=$GROUP_NAME | jq -r '.Role.Arn') + +## Attach IAM role policy +ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account') +aws iam attach-role-policy \ + --role-name $ROLE_NAME \ + --policy-arn "arn:aws:iam::$ACCOUNT_ID:policy/gurum/gurum-group-policy" + +## Create the Cognito Group +aws cognito-idp create-group \ + --group-name $GROUP_NAME \ + --user-pool-id $USER_POOL_ID \ + --role-arn $ROLE_ARN > /dev/null + +echo -e "\n\nSuccess! Group created and mapped to an IAM role." diff --git a/helpers/cognito_quick_user.sh b/helpers/cognito_quick_user.sh index 43aba0a..cd66eac 100755 --- a/helpers/cognito_quick_user.sh +++ b/helpers/cognito_quick_user.sh @@ -4,14 +4,14 @@ set -e echo -e "Checking if the platform has been setup..\n" ## Retreive Cognito Details -POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id') -if [ -z $POOL_ID ]; then +USER_POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id') +if [ -z $USER_POOL_ID ]; then echo "No user pool found. Ensure the platform has been setup first." exit 1 fi ##App client id -CLIENT_ID=$(aws cognito-idp list-user-pool-clients --user-pool-id $POOL_ID | jq -r '.UserPoolClients[] | select(.ClientName == "gurum-client") | .ClientId') +CLIENT_ID=$(aws cognito-idp list-user-pool-clients --user-pool-id $USER_POOL_ID | jq -r '.UserPoolClients[] | select(.ClientName == "gurum-client") | .ClientId') if [ -z $CLIENT_ID ]; then echo "No client id found. Ensure the platform has been setup first." exit 1 @@ -21,21 +21,24 @@ fi echo "Enter a username:" read USERNAME +echo "Enter a valid e-mail:" +read EMAIL + echo -e "\nEnter a password:" read -s PASSWORD ## Create the Cognito user -aws cognito-idp sign-up --client-id $CLIENT_ID --username $USERNAME --password $PASSWORD > /dev/null +aws cognito-idp sign-up --client-id $CLIENT_ID --username $USERNAME --password $PASSWORD --user-attributes Name="email",Value="$EMAIL" > /dev/null ## Assign cognito user to group -GROUP_NAMES=$(aws cognito-idp list-groups --user-pool-id $POOL_ID | jq -r '.Groups | map(.GroupName) | join(" , ")') +GROUP_NAMES=$(aws cognito-idp list-groups --user-pool-id $USER_POOL_ID | jq -r '.Groups | map(.GroupName) | join(" , ")') echo -e "\n\nEnter a group for the user (valid: $GROUP_NAMES):" read SELECTED_GROUP -aws cognito-idp admin-add-user-to-group --username $USERNAME --user-pool-id $POOL_ID --group-name $SELECTED_GROUP +aws cognito-idp admin-add-user-to-group --username $USERNAME --user-pool-id $USER_POOL_ID --group-name $SELECTED_GROUP ## Confirm the user account -aws cognito-idp admin-confirm-sign-up --username $USERNAME --user-pool-id $POOL_ID +aws cognito-idp admin-confirm-sign-up --username $USERNAME --user-pool-id $USER_POOL_ID echo -e "\n\nSuccess! Log-in with your chosen details." diff --git a/helpers/group_trust_policy.json b/helpers/group_trust_policy.json new file mode 100644 index 0000000..c0cd902 --- /dev/null +++ b/helpers/group_trust_policy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "cognito-identity.amazonaws.com" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "cognito-identity.amazonaws.com:aud": "###REPLACEIDENTITYPOOLID###" + } + } + } + ] +} From ec72dc068cd963d578d6790d01c3f5c2507d08aa Mon Sep 17 00:00:00 2001 From: Karl Wallbom Date: Wed, 1 Apr 2020 11:43:17 +0200 Subject: [PATCH 3/4] feat: changed name for variable placeholder --- helpers/cognito_quick_group.sh | 2 +- helpers/group_trust_policy.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helpers/cognito_quick_group.sh b/helpers/cognito_quick_group.sh index 2eac1b9..ff6f13e 100755 --- a/helpers/cognito_quick_group.sh +++ b/helpers/cognito_quick_group.sh @@ -19,7 +19,7 @@ fi # MODIFY TRUST POLICY JSON MYDIR="$(dirname "$(which "$0")")" -sed -i.bak "s/###REPLACEIDENTITYPOOLID###/$IDENTITY_POOL_ID/g" $MYDIR/group_trust_policy.json +sed -i.bak "s/###RESERVED_FOR_QUICK_GROUP_SCRIPT###/$IDENTITY_POOL_ID/g" $MYDIR/group_trust_policy.json # USER CREATION echo "Enter a group name:" diff --git a/helpers/group_trust_policy.json b/helpers/group_trust_policy.json index c0cd902..600b9d9 100644 --- a/helpers/group_trust_policy.json +++ b/helpers/group_trust_policy.json @@ -9,7 +9,7 @@ "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "cognito-identity.amazonaws.com:aud": "###REPLACEIDENTITYPOOLID###" + "cognito-identity.amazonaws.com:aud": "###RESERVED_FOR_QUICK_GROUP_SCRIPT###" } } } From d88af606e16120521faf2145035245a18c31558d Mon Sep 17 00:00:00 2001 From: Karl Wallbom Date: Wed, 1 Apr 2020 11:58:12 +0200 Subject: [PATCH 4/4] feat: add temporary deployment file --- helpers/cognito_quick_group.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/helpers/cognito_quick_group.sh b/helpers/cognito_quick_group.sh index ff6f13e..a6a23a2 100755 --- a/helpers/cognito_quick_group.sh +++ b/helpers/cognito_quick_group.sh @@ -19,7 +19,7 @@ fi # MODIFY TRUST POLICY JSON MYDIR="$(dirname "$(which "$0")")" -sed -i.bak "s/###RESERVED_FOR_QUICK_GROUP_SCRIPT###/$IDENTITY_POOL_ID/g" $MYDIR/group_trust_policy.json +sed "s/###RESERVED_FOR_QUICK_GROUP_SCRIPT###/$IDENTITY_POOL_ID/g" $MYDIR/group_trust_policy.json > $MYDIR/group_trust_policy.deploy # USER CREATION echo "Enter a group name:" @@ -30,9 +30,10 @@ ROLE_NAME="gurum-$GROUP_NAME-role" ROLE_ARN=$(aws iam create-role \ --path '/gurum/groups/' \ --role-name $ROLE_NAME \ - --assume-role-policy-document file://$MYDIR/group_trust_policy.json \ + --assume-role-policy-document file://$MYDIR/group_trust_policy.deploy \ --description "Gurum Cognito Group Assume Role for $GROUP_NAME" \ --tags Key=gurum-groups,Value=$GROUP_NAME | jq -r '.Role.Arn') +rm $MYDIR/group_trust_policy.deploy # clean up temporary deploy file ## Attach IAM role policy ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')