tiny-cognito

0.0.11 • Public • Published

Tiny Cognito

Get AWS Cognito creds to use with aws4fetch

Mints unauthenticated creds for calling AWS resources.

import { AwsClient } from 'aws4fetch'
import cognitoAuth from 'tiny-cognito'

export default async function getAuth() {
  const creds = await cognitoAuth({
    COGNITO_REGION: 'us-east-1',
    IDENTITY_POOL_ID: 'us-east-1:1231311-8f1c-4978-b5e7-6ffdef08a4e9'
  })
  const aws = new AwsClient({
    accessKeyId: creds.AccessKeyId,
    secretAccessKey: creds.SecretKey,
    sessionToken: creds.SessionToken,
  })
  const data = await aws.fetch(`https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/${lambdaArn}/invocations`, {
    body: JSON.stringify({
      data: 'foo'
    }),
  }).then((d) => d.json())
  console.log('data', data)
}

Example IAM statement

See IdentityPoolUnauthenticatedRole Policies

IdentityPoolRoleAttachment:
  Type: AWS::Cognito::IdentityPoolRoleAttachment
  Properties:
    IdentityPoolId: !Ref IdentityPool
    Roles:
      authenticated: !GetAtt IdentityPoolAuthenticatedRole.Arn
      unauthenticated: !GetAtt IdentityPoolUnauthenticatedRole.Arn
IdentityPoolAuthenticatedRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Principal:
          Federated: ['cognito-identity.amazonaws.com']
        Action:
        - sts:AssumeRoleWithWebIdentity
        Condition:
          'ForAnyValue:StringLike':
            'cognito-identity.amazonaws.com:amr': 'authenticated'
    Path: "/"
    Policies:
      - PolicyName: "CognitoUnAuthorizedPolicy"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          # Allow Only logged in access to ping AWS Lambda function from client
          - Effect: Allow
            Action:
            - lambda:InvokeFunction
            Resource:
            - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:authed-function-name
IdentityPoolUnauthenticatedRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Principal:
          Federated: ['cognito-identity.amazonaws.com']
        Action:
        - sts:AssumeRoleWithWebIdentity
        Condition:
          'ForAnyValue:StringLike':
            'cognito-identity.amazonaws.com:amr': 'unauthenticated'
    Path: "/"
    Policies:
      - PolicyName: "CognitoUnAuthorizedPolicy"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          #################################################################################
          # Warning do not open yourself up to bad things. Scope IAM roles properly
          #################################################################################
          # Allow unauthed access to ping AWS Lambda function from client
          - Effect: Allow
            Action:
            - lambda:InvokeFunction
            Resource:
            - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:your-function-name
          # Allow unauthed access to ping AWS pinpoint from client
          - Effect: Allow
            Action:
            - mobiletargeting:PutEvents
            Resource:
            - !Sub arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/12313113112121212112121/*

Security warning

Make sure your IAM permissions are scoped as tightly as possible (E.g. avoid *)

Use at own risk ✌️

Readme

Keywords

none

Package Sidebar

Install

npm i tiny-cognito

Weekly Downloads

12

Version

0.0.11

License

ISC

Unpacked Size

51.8 kB

Total Files

13

Last publish

Collaborators

  • davidwells