Name:
interface
Value:
Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Page updated May 3, 2024

User groups

Amplify Auth provides a mechanism that allows you to group users. Assigning users to groups enable you to customize access for a collection of users, or leverage for auditing purposes. For example, only "ADMINS" users are permitted to delete posts from a bulletin, or only "EDITORS" are permitted to modify posts in a "draft" state. To get started with groups, configure the groups property:

amplify/auth/resource.ts
import { defineAuth } from "@aws-amplify/backend"
export const auth = defineAuth({
loginWith: {
email: true,
},
groups: ["ADMINS", "EDITORS"],
})

Note: There are a few limitations with groups, including a limit of 10,000 groups per user pool.

Defining access

Amplify resources enable you to define access for groups using common language. For example, you can use allow.groups in data:

amplify/data/resource.ts
import { type ClientSchema, a, defineData } from "@aws-amplify/backend"
const schema = a.schema({
Article: a.model({}).authorization(allow => [
allow.groups(["EDITORS"]).to(["read", "update"])
])
})
// ...

Or in storage:

amplify/storage/articles/resource.ts
import { defineStorage } from "@aws-amplify/backend"
export const storage = defineStorage({
name: "articles",
access: (allow) => ({
"drafts/*": [allow.groups(["EDITORS"]).to(["read", "write"])],
}),
})

By defining access with groups, Amplify configures authorization rules to read from the current user's groups. User pool groups are available as a claim in the user's ID token and access token as cognito:groups. Requests can be made to secure resources using the access token and validated against this claim to permit action on the resource.

Group roles

Each Cognito user pool group is assigned an IAM role. IAM roles can be modified to extend access to other AWS resources. Roles can be accessed from your backend on the role property of your group:

amplify/backend.ts
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';
/**
* @see https://docs.amplify.aws/react/build-a-backend/ to add storage, functions, and more
*/
const backend = defineBackend({
auth,
data,
});
const { groups } = backend.auth.resources
// https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.IRole.html
groups["ADMINS"].role

Next steps