Create a Cognito Identity Pool


From @mjbf0748 on Wed Apr 04 2018 19:39:55 GMT+0000 (UTC)

I have completed most of it. I want to fix this authentication issue before
I continue. If Amplify may help fix this error, I will go over the update.
What do you think?

On Wed, Apr 4, 2018 at 3:36 PM Jay V wrote:

@mjbf0748 It depends how far along you are.
If you are almost done, I’d say complete it and then go over the update.
Most of the structure is the same with Amplify. It just makes some parts

You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub,
or mute the thread


From @jayair on Wed Apr 04 2018 21:27:50 GMT+0000 (UTC)

@mjbf0748 The Amplify update does authentication slightly differently. So it might be worth trying it.


From @19bharatvikram on Mon Apr 09 2018 10:48:38 GMT+0000 (UTC)

Hi Jay,

I have 2 users and as per our application design, they can see their notes only. But now, I want enable user1 to view/edit the notes of user2 but not delete them.

Is it possible to do that ? if yes How?

Bharat Chand


From @jayair on Mon Apr 09 2018 17:50:15 GMT+0000 (UTC)

@19bharatvikram There are lots of ways to do this. Currently, we get notes using a user id and note id pair. To allow users to access other user’s notes; you’d need to store your notes under a different index. Maybe just store it under note id. But you’ll need to separately track which user has access to which set of notes.


From @19bharatvikram on Mon Apr 09 2018 18:09:32 GMT+0000 (UTC)

Hi Jay,

Thanks for your quick response. I understand that I’ll need an index column say noteId for that. Just wanted to know more how can I make a track of which users has access to which set of notes. Any pseudo code or sample IAM role/policy or any reference link/doc will help.

Thanks again,
Bharat Chand


From @jayair on Mon Apr 09 2018 18:46:50 GMT+0000 (UTC)

@19bharatvikram Hmmm you could use an IAM role if your user groups are not dynamic. Say for example you had an admin group and regular users group that had different set of permissions. Then you could create roles for them. But if the relationships are dynamic then it might be trickier.



I think the security model here is a but inconsistent and because of that if the app gets bigger it can become hard to make it really secure. why?

you use 2 roles:

  1. lambda execution role
  2. authenticated user role

suppose you want to list a bucket with users files in a lambda function. For that you need to update lambda execution role by adding permissions of listObjects to s3. But because there is no user context in lambda execution role, you need to give access to the whole bucket, and by that you are opening a door for other users to see all the pictures.

To fix it you should use the ‘Invoke with caller credentials’ option in the API Gateway, this way your lambda will be executed with the user’s role. (And of course duplication will be removed too)


I don’t think the Invoke with caller credentials option works that way. You can find some threads on this with more detail -

This setting tells API Gateway to invoke the Lambda with the user’s role but it does not execute the Lambda with that role. You still need to supply the Lambda execution role.

We’ve tested this to confirm the behavior but maybe we are doing something wrong. If you have a working example where the Lambda executes with the user’s role as opposed to the Lambda execution role, I’d love to see it.


I was thrown off on setting: YOUR_API_GATEWAY_ID. Only after going through the debugging, did I realize that I’d put the string descriptor of the app and not the (never explicitly defined in the AWS console =P) gateway ID.

I see that you called out the general format of this above the policy, but I wonder if maybe underneath the policy you might call out in a table the configuration variables that need to be changed, and an example of the format of the variable.


Oh. Was this part not helpful?


Yeah, for whatever reason I just kinda read past that. I almost wonder if maybe it would have been better, at least for me, coming after the code block, or maybe as a table. I dunno, one guy’s feedback.


I see. Thanks for the feedback!