AWS 认知授权

Question

I have an application (node.js) that need an Authentication and authorization. My app need access to postgres database and also need a Inheritances (roles etc.)

One option to implement that is using the cognito service of aws (the app will host on aws properly - not sure about that)

so the questions is

1. Is cognito service support the authorization for node.js with database that is not services on aws? (I read that "identity pool" is for aws services like mariaDB)
2. If my app will be on heroku (not on aws), I will also be able to use with cognito services (for authorization )?
3. Is cognito support roles/users inheritances?

Tnx

Answer 1

Cognito identity pool is used for granting access to aws services. User pool is used to exchange user credentials for tokens which can contain additional information about the user once decoded. So yes, you can use user pool just for authentication. Your user attributes can contain information related to the services this user needs to access.

However, if you plan on storing database credentials, I suggest you use AWS secrets manager to store your DB credentials and grant the cognito user access to this secret. You'll need to use both user pool and identity pool in this case.

1. Not directly, but you can use it to access secrets manager where you db credentials are stored.
2. Yes you can use cognito anywhere. It will be connecting to AWS to grant you tokens however. And these tokens are only recognized on AWS. Which is why you need to use them to access other secrets that can be used to access whatever other services you want.
3. Cognito supports groups. I'm not sure if that's what you mean by inheritences. You can have token based roles with groups.