I would appreciate a guide that lightly touches on handling Serverless Stack #guide

I would appreciate a guide that lightly touches on...

Devin

03/12/2022, 11:52 PM

I would appreciate a guide that lightly touches on handling different levels of users. For example admin, superuser, customer. I could see how this is maybe our of scope

Gabriel Araújo

03/13/2022, 12:06 AM

https://github.com/serverless-stack/serverless-stack/pull/1080

Gabriel Araújo

03/13/2022, 12:11 AM

Its not a guide but i can write something. The idea is: Cognito identity pool maps the user identity based on user group in cognito user pool setting the IAM policy of that for the user identity. So you’ll be able to write an IAM policy for each type of user. Also there is a way of creating a in-line policy when authenticating the user. I’ve used a mix of these approaches in serverless framework projects. And it works very well. Also its possible to add policies to allow the user to interact with specific items in dynamodb: like admins can write, Normal users can only read specifics primary keys, etc. I can try to create a demo of this in the next week. I also can write about multi-tenant application using a mix of these a approaches

Gabriel Araújo

03/13/2022, 12:12 AM

@Frank @thdxr

Devin

03/13/2022, 1:16 AM

I would absolutely read that guide if you made it.

Devin

03/13/2022, 1:18 AM

I know how to put users in group using a post auth hook. Or at least I've done it once so I think I could do it again

Frank

03/22/2022, 7:29 AM

Hey @Gabriel Araújo, I was looking at ur PR and realized that I must have missed this thread earlier. Yeah, an example would be awesome. Btw, with this setup, is the IAM credentials mapped to the user pool group of the logged in user obtained on the frontend? (ie. the mapped IAM credentials has

s3:*

permission, the logged in user can upload files to S3 directly from the frontend right?)

Gabriel Araújo

03/22/2022, 1:17 PM

Yep! Is the role you put in the group of the user pool. If the user has no group it defaults to authenticated the one you put in the identity pool. And if it's not logged it defaults to unauthenticated. Yes. It will be able to upload from the browser to s3 directly if the group/role can do it. I can try build an example this week. I’ll ping you later this week.

Gabriel Araújo

03/22/2022, 1:18 PM

As well as call a specific endpoint. E.g. Users in admin group would be able to call /admin

Frank

03/23/2022, 3:40 AM

Thanks @Gabriel Araújo! Even a raw snippet would work. And we can turn that into a doc/example.

Open in Slack

Previous Next