Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cognito Group Membership overriding app authRole policies

See original GitHub issue

Before opening, please confirm:

I have searched for duplicate or closed issues and discussions.
I have read the guide for submitting bug reports.
I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication, Storage

Amplify Categories

auth, storage, api

Environment information

# Put output below this line
System:
    OS: macOS 13.0.1
    CPU: (8) x64 Apple M1
    Memory: 83.38 MB / 16.00 GB
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 16.13.2 - ~/.nvm/versions/node/v16.13.2/bin/node
    npm: 8.1.2 - ~/.nvm/versions/node/v16.13.2/bin/npm
    Watchman: 2022.05.30.00 - /opt/homebrew/bin/watchman
  Browsers:
    Chrome: 107.0.5304.110
    Firefox: 103.0.1
    Safari: 16.1
  npmPackages:
    @ampproject/toolbox-optimizer:  undefined ()
    @babel/core:  undefined ()
    @babel/runtime:  7.15.4
    @cypress/angular:  0.0.0-development
    @cypress/mount-utils:  0.0.0-development
    @cypress/react:  0.0.0-development
    @cypress/react18:  0.0.0-development
    @cypress/svelte:  0.0.0-development
    @cypress/vue:  0.0.0-development
    @cypress/vue2:  0.0.0-development
    @edge-runtime/primitives:  2.0.0
    @hapi/accept:  undefined ()
    @mantine/carousel: ^5.8.2 => 5.8.2
    @mantine/core: ^5.8.2 => 5.8.2
    @mantine/dropzone: ^5.8.2 => 5.8.2
    @mantine/form: ^5.8.2 => 5.8.2
    @mantine/hooks: ^5.8.2 => 5.8.2
    @mantine/modals: ^5.8.2 => 5.8.2
    @mantine/next: ^5.8.2 => 5.8.2
    @mantine/notifications: ^5.8.2 => 5.8.2
    @mantine/rte: ^5.8.2 => 5.8.2
    @napi-rs/triples:  undefined ()
    @next/react-dev-overlay:  undefined ()
    @plaiceholder/next: ^2.5.0 => 2.5.0
    @segment/ajv-human-errors:  undefined ()
    @stripe/stripe-js: ^1.38.1 => 1.38.1
    @types/lodash-es: ^4.17.6 => 4.17.6
    @types/micro-cors: ^0.1.2 => 0.1.2
    @types/node: 18.0.3 => 18.0.3 (16.11.59, 14.18.29, 8.10.66)
    @types/nodemailer: ^6.4.6 => 6.4.6
    @types/qs: ^6.9.7 => 6.9.7
    @types/react: 18.0.15 => 18.0.15
    @types/react-dom: 18.0.6 => 18.0.6
    @types/react-syntax-highlighter: ^15.5.5 => 15.5.5
    @types/uuid: ^8.3.4 => 8.3.4
    @vercel/nft:  undefined ()
    acorn:  undefined ()
    amazon-cognito-identity-js: ^5.2.10 => 5.2.10
    amphtml-validator:  undefined ()
    anser:  undefined ()
    arg:  undefined ()
    assert:  undefined ()
    async-retry:  undefined ()
    async-sema:  undefined ()
    aws-amplify: ^4.3.32 => 4.3.36
    aws-sdk: ^2.1178.0 => 2.1222.0
    axios: ^0.27.2 => 0.27.2 (0.26.0)
    babel-packages:  undefined ()
    browserify-zlib:  undefined ()
    browserslist:  undefined ()
    buffer:  undefined ()
    bytes:  undefined ()
    chalk: ^5.0.1 => undefined (2.4.2, 4.1.2, 5.0.1, )
    cheerio: ^1.0.0-rc.12 => 1.0.0-rc.12
    ci-info:  undefined ()
    cli-select:  undefined ()
    comment-json:  undefined ()
    compression:  undefined ()
    conf:  undefined ()
    constants-browserify:  undefined ()
    content-disposition:  undefined ()
    content-type:  undefined ()
    cookie:  undefined ()
    cookies-next: ^2.1.1 => 2.1.1
    cross-spawn:  undefined ()
    crypto-browserify:  undefined ()
    css.escape:  undefined ()
    cssnano-simple:  undefined ()
    cypress: ^10.8.0 => 10.8.0
    data-uri-to-buffer:  undefined ()
    dayjs: ^1.11.3 => 1.11.5
    debug:  undefined ()
    devalue:  undefined ()
    devcert: ^1.2.2 => 1.2.2
    domain-browser:  undefined ()
    edge-runtime:  undefined ()
    eslint: 8.19.0 => 8.19.0
    eslint-config-next: ^13.0.3 => 13.0.3
    events:  undefined ()
    express: ^4.18.1 => 4.18.1
    faunadb: ^4.6.0 => 4.7.0
    find-cache-dir:  undefined ()
    find-up:  undefined ()
    fresh:  undefined ()
    get-orientation:  undefined ()
    glob:  undefined ()
    gzip-size:  undefined ()
    http-proxy:  undefined ()
    https-browserify:  undefined ()
    icss-utils:  undefined ()
    ignore-loader:  undefined ()
    image-size:  undefined ()
    is-animated:  undefined ()
    is-docker:  undefined ()
    is-wsl:  undefined ()
    jest-worker:  undefined ()
    json5:  undefined ()
    jsonwebtoken:  undefined ()
    loader-utils:  undefined ()
    lodash-es: ^4.17.21 => 4.17.21
    lodash.curry:  undefined ()
    lru-cache:  undefined ()
    micro: ^9.4.1 => 9.4.1
    micro-cors: ^0.1.1 => 0.1.1
    micromatch:  undefined ()
    mini-css-extract-plugin:  undefined ()
    nanoid:  undefined ()
    native-url:  undefined ()
    neo-async:  undefined ()
    next: ^13.0.3 => 13.0.3
    next-pwa: ^5.6.0 => 5.6.0
    node-fetch:  undefined ()
    node-html-parser:  undefined ()
    nodemailer: ^6.8.0 => 6.8.0
    nodemon: ^2.0.19 => 2.0.20
    ora:  undefined ()
    os-browserify:  undefined ()
    p-limit:  undefined ()
    path-browserify:  undefined ()
    plaiceholder: ^2.5.0 => 2.5.0
    platform:  undefined ()
    playwright: ^1.27.1 => 1.27.1
    postcss-flexbugs-fixes:  undefined ()
    postcss-modules-extract-imports:  undefined ()
    postcss-modules-local-by-default:  undefined ()
    postcss-modules-scope:  undefined ()
    postcss-modules-values:  undefined ()
    postcss-preset-env:  undefined ()
    postcss-safe-parser:  undefined ()
    postcss-scss:  undefined ()
    postcss-value-parser:  undefined ()
    process:  undefined ()
    punycode:  undefined ()
    qs: ^6.11.0 => 6.11.0 (6.5.3, 6.10.3)
    querystring-es3:  undefined ()
    raw-body:  undefined ()
    react: 18.2.0 => 18.2.0 (18.1.0, 18.3.0-next-4bd245e9e-20221104)
    react-device-detect: ^2.2.2 => 2.2.2
    react-dom: 18.2.0 => 18.2.0 (18.3.0-next-4bd245e9e-20221104)
    react-icons: ^4.4.0 => 4.4.0
    react-image-file-resizer: ^0.4.8 => 0.4.8
    react-intersection-observer: ^9.4.0 => 9.4.0
    react-is:  18.2.0
    react-markdown: ^8.0.3 => 8.0.3
    react-refresh:  0.12.0
    react-server-dom-webpack:  undefined ()
    react-syntax-highlighter: ^15.5.0 => 15.5.0
    regenerator-runtime:  0.13.4
    rehype-format: ^4.0.1 => 4.0.1
    rehype-parse: ^8.0.4 => 8.0.4
    rehype-remark: ^9.1.2 => 9.1.2
    rehype-sanitize: ^5.0.1 => 5.0.1
    rehype-stringify: ^9.0.3 => 9.0.3
    remark: ^14.0.2 => 14.0.2
    remark-gfm: ^3.0.1 => 3.0.1
    remark-rehype: ^10.1.0 => 10.1.0
    remark-stringify: ^10.0.2 => 10.0.2
    rfs: ^9.0.6 => 9.0.6
    sass: ^1.54.5 => 1.55.0
    sass-loader:  undefined ()
    scheduler:  undefined ()
    schema-utils:  undefined ()
    semver:  undefined ()
    send:  undefined ()
    setimmediate:  undefined ()
    sharp: ^0.30.7 => 0.30.7
    shell-quote:  undefined ()
    short-unique-id: ^4.4.4 => 4.4.4
    slugify: ^1.6.5 => 1.6.5
    source-map:  undefined ()
    stacktrace-parser:  undefined ()
    stream-browserify:  undefined ()
    stream-http:  undefined ()
    string-hash:  undefined ()
    string_decoder:  undefined ()
    strip-ansi:  undefined ()
    stripe: ^10.12.0-beta.1 => 10.12.0-beta.1
    swr: ^1.3.0 => 1.3.0
    swr-immutable:  0.0.1
    swr-infinite:  0.0.1
    tar:  undefined ()
    terser:  undefined ()
    text-table:  undefined ()
    timers-browserify:  undefined ()
    tty-browserify:  undefined ()
    typescript: 4.7.4 => 4.7.4
    ua-parser-js:  undefined ()
    undici:  undefined ()
    unistore:  undefined ()
    util:  undefined ()
    uuid: ^8.3.2 => 8.3.2 (3.4.0, 3.3.2, 8.0.0)
    vm-browserify:  undefined ()
    watchpack:  undefined ()
    web-vitals:  undefined ()
    webpack:  undefined ()
    webpack-sources:  undefined ()
    ws:  undefined ()
    yup: ^0.32.11 => 0.32.11
  npmGlobalPackages:
    @aws-amplify/cli: 9.1.0
    corepack: 0.10.0
    eslint: 8.15.0
    expo-cli: 5.4.7
    fauna-shell: 0.15.0
    firebase-tools: 10.9.2
    gatsby-cli: 4.5.2
    ls: 0.2.1
    netlify-cli: 10.8.0
    npm: 8.1.2
    react-devtools: 4.24.7
    typescript: 4.7.4
    vercel: 28.1.0

Describe the bug

Hi there,

I’ve built a React web app from scratch, using Amplify.

I’ve added Auth and S3 Storage.

The storage was configured during setup to allow auth (full CRUD) and un-auth (read-only) access.

I have implemented Admin actions.

There are two Cognito groups: Admins and Subscribers in the User Pool. Users will be in either group (not both) or in no group. My thought is to use Cognito Groups as User Roles in my app.

When an auth user is added to a Cognito group, the policies in the inline authRole policies (created by Amplify on app creation) no longer seem to apply, and I assume they are being overridden by the polices of the groupRoles (e.g. us-west-2_XXXXXX-subscribersGroupRole) created when adding/configuring Admin actions.

Those not in groups are unaffected.

It took me a while to figure this out, but to get things working for authRole users that have added to groups, I manually created policies based on those attached to the app’s authRole role and added those to the subscribers groupRole. Users in Admin don’t need access to S3 Storage.

My questions are:

Should I be using Cognito groups as user Roles in my app?
Should group membership be overriding authRole permissions, or did I do something wrong?
Is manually creating policies for the groupRoles the best way to do this?

Thanks.

Expected behavior

Frankly, I’m not sure if this is a bug or expected behavior, but my expected behavior (which could very well be wrong) is that the policies in the app’s authRole are not overridden completely when a user is added to a Cognito User Group.

If this is expected behavior, your confirmation would be appreciated.

Reproduction steps

Create a React app
Install and configure Amplify
Add auth and storage
Configure storage for auth and unAuth access
Create two Cognito User Groups: Admins & Subscribers
Create three users
Add one to Admins, another to Subscribers, and leave the other in no group
Add Admin Queries
Implement a page that uses Storage.get to retrieve a URL for an existing S3 object and displays it on the screen.
Notice how Storage.get results in a 403 for users in Cognito Groups.

Code Snippet

// Put your code below this line.
const imageURL = await Storage.get(url, { expires: 604799 });

Log output

// Put your logs below this line
403 Forbidden is the result of Storage operations when the user is a member of a Cognito User Group and no additional policies have been added to the applicable role.

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

Issue Analytics

State:
Created 10 months ago
Comments:5

Top GitHub Comments

1reaction

nadetasticcommented, Nov 30, 2022

@kimfucious Happy to help. And yes, as long as you select the proper CRUD options, you should not need to modify the bucket access permissions further.

1reaction

kimfuciouscommented, Nov 29, 2022

Thanks, @nadetastic for the detailed and helpful response.

I could swear that I did choose “both” when setting up Admin Queries, but I can’t be completely sure.

Can I assume that if “both” is chosen and the proper CRUDs are applied, that I would not need to further modify the permissions on the groupRoles?