By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Integration of cognito with verified permissions using authorization with token

0

I have created a custom attribute in cognito and assigned a value for that.Coming to verified permissions created identity source matching the cognito userpool .but facing issue in policy creation to match the custom attribute. this error is getting while creating policy, An error occurred Error: Validation error on policy PkFszRqv4vLWWXUqVPe9VG at offset 98-132: Attribute not found in record or entity custom

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Amazon CognitoAmazon Verified Permissions
Language
English
jai
asked 6 months ago245 views
2 Answers
1

@jai, If you have an attribute custom:abc and it's a part of the identity token, you can reference its value via principal.custom.abc in policies. Please let me know if you have any additional questions!

Maxim
answered 6 months ago
0

Take a look at the Cognito JWT Deep Dive workshop for an example (you can run this in your own AWS account to see it live).
2a: Token Generation shows custom attributes, and 5a: Amazon Verified Permissions dives deeper into Amazon Verified Permissions integration

The custom:user_id and custom:tenant_id attributes are used in the policy below

permit (
  principal,
  action == JWTWorkshop::Action::"readObjects",
  resource in JWTWorkshop::S3Bucket::"${BUCKET_NAME}"
)
when { principal.token_use == "id" }
when { resource.tags.tenant == principal.custom.tenant_id }
when
{
  if
    resource.tags has owner
  then
    resource.tags.owner == principal.custom.user_id
  else
    true
};

Since strict validation with a schema was enabled, the CognitoUser used for the principal in the entityTypes includes custom as a Record with tenant_id and user_id attributes.

      "CognitoUser": {
        "memberOfTypes": ["CognitoUserPool"],
        "shape": {
          "type": "Record",
          "attributes": {
            "token_use": {
              "type": "String"
            },
            "jti": {
              "type": "String"
            },
            "custom": {
              "type": "Record",
              "attributes": {
                "tenant_id": {
                  "type": "String"
                },
                "user_id": {
                  "type": "String"
                },
                "tenant_admin": {
                  "type": "String"
                }
              }
            }
          }
        }
      }
profile pictureAWS
hakanson
answered 6 months ago
  • jai
    6 months ago

    this error is getting while creating policy, An error occurred Error: Validation error on policy PkFszRqv4vLWWXUqVPe9VG at offset 98-132: Attribute not found in record or entity custom

  • hakanson
    6 months ago

    updated answer to reference schema, which is likely the source of the validation error

  • jai
    6 months ago

    yeah its fine.the problem was t he structure of custom attributes in schema building. can we implement cognito groups for authorization purposes in verified permissions

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content