Set up user group management
You can create logical groups in Cognito User Pools and assign permissions to access resources in Amplify categories with the CLI, as well as define the relative precedence of one group to another. This can be useful for defining which users should be part of "Admins" vs "Editors", and if the users in a Group should be able to just write or write & read to a resource (AppSync, API Gateway, S3 bucket, etc). You can also use these with @auth
Static Groups in the GraphQL Transformer. Precedence helps remove any ambiguity on permissions if a user is in multiple Groups.
Create user groups
1amplify add auth
1❯ Manual configuration2
3Do you want to add User Pool Groups? (Use arrow keys)4❯ Yes5
6? Provide a name for your user pool group: Admins7? Do you want to add another User Pool Group Yes8? Provide a name for your user pool group: Editors9? Do you want to add another User Pool Group No10? Sort the user pool groups in order of preference … (Use <shift>+<right/left> to change the order)11 Admins12 Editors
When asked as in the example above, you can press Shift
on your keyboard along with the LEFT and RIGHT arrows to move a Group higher or lower in precedence. Once complete you can open amplify/backend/auth/userPoolGroups/user-pool-group-precedence.json
to manually set the precedence.
Group access controls
For certain Amplify categories you can restrict access with CRUD (Create, Read, Update, and Delete) permissions, setting different access controls for authenticated users vs Guests (e.g. Authenticated users can read & write to S3 buckets while Guests can only read). You can further restrict this to apply different permissions conditionally depending on if a logged-in user is part of a specific User Pool Group.
1amplify add storage # Select content
1? Restrict access by? (Use arrow keys)2 Auth/Guest Users3 Individual Groups4❯ Both5 Learn more6
7Who should have access?8❯ Auth and guest users9
10What kind of access do you want for Authenticated users?11❯ create/update, read12
13What kind of access do you want for Guest users?14❯ read15
16Select groups:17❯ Admins18
19What kind of access do you want for Admins users?20❯ create/update, read, delete
The above example uses a combination of permissions where users in the "Admins" Group have full access, "Guest" users can only read, and "Authenticated" users who are not a part of any group have create, update, and read access. Amplify will configure the corresponding IAM policy on your behalf. Advanced users can additionally set permissions by adding a customPolicies
key to amplify/backend/auth/userPoolGroups/user-pool-group-precedence.json
with custom IAM policy for a Group. This will attach an inline policy on the IAM role associated to this Group during deployment. Note this is an advanced feature and only suitable if you have an understanding of AWS resources. For instance perhaps you wanted users in the "Admins" group to have the ability to Create an S3 bucket:
1[2 {3 "groupName": "Admins",4 "precedence": 1,5 "customPolicies": [6 {7 "PolicyName": "admin-group-policy",8 "PolicyDocument": {9 "Version": "2012-10-17",10 "Statement": [11 {12 "Sid": "statement1",13 "Effect": "Allow",14 "Action": ["s3:CreateBucket"],15 "Resource": ["arn:aws:s3:::*"]16 }17 ]18 }19 }20 ]21 },22 {23 "groupName": "Editors",24 "precedence": 225 }26]