Using attributes for access control with Amazon Cognito identity pools

Before you can use attributes for access control, ensure that you meet the following prerequisites:

• An AWS account

• User pool

• Identity pool

• Set up an SDK

• Integrated identity providers

• Credentials

To use attributes for access control, the Claim that you set as the source of data sets the value of the Tag Key that you choose. Amazon Cognito applies the tag key and value to your user's session. Your IAM policies can evaluate your user's access from the ${aws:PrincipalTag/tagkey} condition. IAM evaluates the value of your user's tag against the policy.

You must prepare IAM roles whose credentials you want to pass to your users. The trust policy of these roles must permit Amazon Cognito to assume the role for your user. For attributes for access control, you must also allow Amazon Cognito to apply principal tags to your user's temporary session. Grant permission to assume the role with the action AssumeRoleWithWebIdentity. Grant permission to tag users' sessions with the permission-only action sts:TagSession. For more information, see Passing session tags in AWS Security Token Service in the AWS Identity and Access Management User Guide. For an example trust policy that grants sts:AssumeRoleWithWebIdentity and sts:TagSession permissions to the Amazon Cognito service principal cognito-identity.amazonaws.com, see Using attributes for access control policy example.

To configure attributes for access control in the console

1. Sign in to the Amazon Cognito console and select Identity pools. Select an identity pool.

2. Choose the User access tab.

3. Locate Identity providers. Choose the identity provider that you want to edit. If you want to add a new IdP, select Add identity provider.

4. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, choose Edit in Attributes for access control.

   1. To apply no principal tags, choose Inactive.

   2. To apply principal tags based on sub and aud claims, choose Use default mappings.

   3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.

5. Select Save changes.