Choose your framework/language

v5v6
Edit on GitHub

Page updated Jan 16, 2024

Set up user group management

You can create logical groups in Cognito User Pools and assign permissions to access resources in Amplify categories with the CLI, as well as define the relative precedence of one group to another. This can be useful for defining which users should be part of "Admins" vs "Editors", and if the users in a Group should be able to just write or write & read to a resource (AppSync, API Gateway, S3 bucket, etc). You can also use these with @auth Static Groups in the GraphQL Transformer. Precedence helps remove any ambiguity on permissions if a user is in multiple Groups.

Create user groups

1amplify add auth
1❯ Manual configuration
2

3Do you want to add User Pool Groups? (Use arrow keys)
4❯ Yes
5

6? Provide a name for your user pool group: Admins
7? Do you want to add another User Pool Group Yes
8? Provide a name for your user pool group: Editors
9? Do you want to add another User Pool Group No
10? Sort the user pool groups in order of preference …  (Use <shift>+<right/left> to change the order)
11  Admins
12  Editors

When asked as in the example above, you can press Shift on your keyboard along with the LEFT and RIGHT arrows to move a Group higher or lower in precedence. Once complete you can open amplify/backend/auth/userPoolGroups/user-pool-group-precedence.json to manually set the precedence.

Group access controls

For certain Amplify categories you can restrict access with CRUD (Create, Read, Update, and Delete) permissions, setting different access controls for authenticated users vs Guests (e.g. Authenticated users can read & write to S3 buckets while Guests can only read). You can further restrict this to apply different permissions conditionally depending on if a logged-in user is part of a specific User Pool Group.

1amplify add storage  # Select content
1? Restrict access by? (Use arrow keys)
2  Auth/Guest Users
3  Individual Groups
4❯ Both
5  Learn more
6

7Who should have access?
8❯ Auth and guest users
9

10What kind of access do you want for Authenticated users?
11❯ create/update, read
12

13What kind of access do you want for Guest users?
14❯ read
15

16Select groups:
17❯ Admins
18

19What kind of access do you want for Admins users?
20❯ create/update, read, delete

The above example uses a combination of permissions where users in the "Admins" Group have full access, "Guest" users can only read, and "Authenticated" users who are not a part of any group have create, update, and read access. Amplify will configure the corresponding IAM policy on your behalf. Advanced users can additionally set permissions by adding a customPolicies key to amplify/backend/auth/userPoolGroups/user-pool-group-precedence.json with custom IAM policy for a Group. This will attach an inline policy on the IAM role associated to this Group during deployment. Note this is an advanced feature and only suitable if you have an understanding of AWS resources. For instance perhaps you wanted users in the "Admins" group to have the ability to Create an S3 bucket:

1[
2  {
3    "groupName": "Admins",
4    "precedence": 1,
5    "customPolicies": [
6      {
7        "PolicyName": "admin-group-policy",
8        "PolicyDocument": {
9          "Version": "2012-10-17",
10          "Statement": [
11            {
12              "Sid": "statement1",
13              "Effect": "Allow",
14              "Action": ["s3:CreateBucket"],
15              "Resource": ["arn:aws:s3:::*"]
16            }
17          ]
18        }
19      }
20    ]
21  },
22  {
23    "groupName": "Editors",
24    "precedence": 2
25  }
26]
PREVIOUS
Set up admin actions
NEXT
Use an existing Cognito User Pool and Identity Pool
Site color mode

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2024, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.