I’m approaching AWS for the first time, and I’m trying to build an app using Amplify, API Gateway, Cognito, Lambda and Dynamo DB (I’m building some sort of a ToDo app).
I’ve learnt how to use lambda and dynamoDB without any authentication system and now I want to implement it.
I’ve already setup cognito, api gateway and lambda in order to access API with an IdToken, but what I’m not able to do is saving into dynamoDB the data of the user that called the API, as when I log the event inside CloudWatch I see that all the fields that refer to cognito are null (ex. “Context.identity” is null).
I need it so when an user want to see its data I’ll call the GET method which filters only that user’s data and retrieves it.
Anyone could please explain if this is the correct way to do it and what I’m missing, or if there’s an easier way to build this?
Related
I am building a multi-tenancy SaaS with AWS (Cognito, API Gateway, Amplify). I am planning to create API keys/secrets for my tenants and trying to figure out the whole process. However, I could find a clear document from AWS.
So I use custom-attribute-based multi-tenancy with Cognito. 2 questions here:
What is the best practice to manage API keys/secrets for each tenant? It seems I have to create the key pairs and store them in the database all by myself. I am wondering if there are some services that could help.
What is the best practice to verify the keys/secrets? For now, I guess I have to implement the customized authorizer myself to verify the keys.
For the first query, you can simply story API keys/secrets in the AWS SSM - System manager parameter store as secret text and whenever value is required simply call SSM parameter store api to get that value at runtime.
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html
Now for the second point, I believe you are not required to explicitly write logic to verify any API keys/secrets as if a user uses an incorrect key they will get invalid key/secret or unauthorized exception directly from API Gateway and Cognito service calls.
I'm trying to create an external API using AWS API Gateway that will give users access to data stored in multiple databases. The APIs will mostly be accessed through scripts rather than through a web UI.
Are there any AWS services I can use to manage user access to my API?
I've read a little bit about Amazon Cognito and OAuth 2 but at a glance it seems like those might be more targeted towards cases with a UI for users to interact with. Is there a way to create and manage API keys with AWS?
Thanks in advance for your help!
You can use API Gateway Lambda Authorizer to write your custom login integration. For example a lambda that check in one Database if the user:password (passed as authorization header) exists in table in DynamoDB or SQL.
I am someone who is totally new to REST APIs, pardon the newbie-ish mistakes.
My requirement is:
The source Database people wants to send JSON data on an hourly basis to an API endpoint which I publish. I am not sure of what all do I need to build to make sure it happens seamlessly. My target is to receive the data and create CSV files and save in it AWS S3 for further downstream processing.
My plan is, creating an AWS API Gateway endpoint which will accept POST requests and whenever anyone sends data through POST, the API Gateway will trigger AWS Lambda Function which will run Python to parse the JSON data to CSV and store in AWS S3. Is this thought valid? What all am I missing out? Are there best practices which needs to be implemented?
This architecture seems to be what you wanna do.
You wanna make sure that your API is secured with a key or via Cognito (more complex) and that your Lambda have the IAM permissions needed in order to access your bucket.
This post will help you understand the Lambda blueprint that is triggered when an object is upload to s3. Just change the Lambda trigger and a little bit the Python code and you're done.
Yes,this is a simple, typical serverless stack and it works perfectly fine.
Additionally, you may also focus on the authentication on the API Gateway end point to make it secure.
I already have a heavy user table in an existed website and server doesn't host in AWS.
I wanna use AWS Cognito for a mobile app of this site. So, need to check my server first when login/sign in.
But many blogs and examples look like only for serverless service.
I saw Accessing Server-side Resources after Sign-in. But this access server after getting token.
I saw Adding a User Pool Lambda Trigger. But not sure this can fit with my case.
I know I need to test these things first.
But just I wanna get some advice in here first.
So, Please give me advice.
Thanks.
you can do one thing, you can use cognito in application using aws-sdk which will do signin/singup
add trigger of cognito add save data to dynamo DB table or you can send data your database also.
another case if like you can add trigger, it will check for in both cognito and login your table to having user info and then allow the sign in.
OR
You can import your user data to cognito.
I'm a first-timer with AWS and I'm a bit lost.
I would like to have a serverless stack using Cognito to handle authentication, DynamoDB, Lambda and CloudFront for exposing REST services.
I don't know exactly how to handle users data. For example, I would like to store the user email and physical address. I've seen you can have that directly in Cognito, however, I would like to perform custom validation when these attributes are set/updated.
Can I do that easily with a trigger, letting the user have a Write access on its data?
Or should I restrain Write access to these attributes and expose a REST service to update them manually in a lambda?
I've also seen someone using a users table in DynamoDB to store some data, what are the advantage compared to using directly the identity pool?
Thanks,
You can easily store this kind of data(email, address) in Cognito user pools and validate the data using PreSignUp Lambda trigger, more details.
The advantage of using DynamoDB to store user data is that you will almost certainly hit a RequestLimitExceeded exception using Cognito as a primary data store. If you contact AWS support and explain what you are doing, they will up the Cognito API limit on your account - but that only temporarily solves the problem. Since Amazon doesn't publish what will trigger a RequestLimitExceeded error, you will eventually hit it again if your traffic increases.
Every time I have tried to use Cognito as the only source of user data I have run into this problem. So I end up storing user data in Dynamo or RDS.
If you don't have a lot of traffic or if you aren't going to be querying the Cognito API often, then it might work for you