View in #support on Slack
@Noam_Ross: Hello everyone! I’ve newly set up Pomerium for my organization as a secure layer in front of static site hosting, using AWS Cognito as our IDP. Great software. I’m trying to figure out the correct syntax for allowing access based on IDP claims (cognito:groups) under routes: . I think it is something like this, but it’s not quite right and the docs only show it under the deprecated top-level policy: block:
routes:
- from: <https://nipah-bangladesh.secure.eha.io>
to: <http://rclone>
policy:
- allow:
or:
- allowed_idp_claims:
cognito:groups:
- nipah-bangladesh
@Denis_Mishin: 1. check that you have groups in the IDP claims, by visiting a special /.pomerium route once you’re authenticated - <https://nipah-bangladesh.secure.eha.io/.pomerium>
2. there is a shortcut setting allowed_groups https://www.pomerium.com/reference/#allowed-groups
@Noam_Ross: allowed_groups doesn’t apply to to cognito groups (https://github.com/pomerium/pomerium/issues/494#issuecomment-889981594), but yes, I have the "cognito:groups" in my IDP claims. Now trying this, but it’s not currently working (in that my user has that group but I’m getting a 403 error still).
routes:
- from: <https://nipah-bangladesh.secure.eha.io>
to: <http://rclone>
policy:
- allow:
and:
- "claim/cognito:groups":
has: nipah-bangladesh
@Denis_Mishin: I don’t have Cognito set up to check for myself, but could you try this instead ?
routes:
- from: <https://nipah-bangladesh.secure.eha.io>
to: <http://rclone>
allowed_idp_claims:
cognito:groups:
- nipah-bangladesh
@Caleb_Doxsey: claim/cognito:groups should be a string, not an object with has:
and:
- "claim/cognito:groups": nipah-bangladesh
https://github.com/pomerium/pomerium/issues/2851#issuecomment-1002714076
@Noam_Ross: That did it, @Caleb_Doxsey, thanks both!
