I am building a multi-tenancy SaaS with AWS (Cognito, API Gateway, Amplify). I am planning to create API keys/secrets for my tenants and trying to figure out the whole process. However, I could find a clear document from AWS.
So I use custom-attribute-based multi-tenancy with Cognito. 2 questions here:
What is the best practice to manage API keys/secrets for each tenant? It seems I have to create the key pairs and store them in the database all by myself. I am wondering if there are some services that could help.
What is the best practice to verify the keys/secrets? For now, I guess I have to implement the customized authorizer myself to verify the keys.
For the first query, you can simply story API keys/secrets in the AWS SSM - System manager parameter store as secret text and whenever value is required simply call SSM parameter store api to get that value at runtime.
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html
Now for the second point, I believe you are not required to explicitly write logic to verify any API keys/secrets as if a user uses an incorrect key they will get invalid key/secret or unauthorized exception directly from API Gateway and Cognito service calls.
Related
I’m approaching AWS for the first time, and I’m trying to build an app using Amplify, API Gateway, Cognito, Lambda and Dynamo DB (I’m building some sort of a ToDo app).
I’ve learnt how to use lambda and dynamoDB without any authentication system and now I want to implement it.
I’ve already setup cognito, api gateway and lambda in order to access API with an IdToken, but what I’m not able to do is saving into dynamoDB the data of the user that called the API, as when I log the event inside CloudWatch I see that all the fields that refer to cognito are null (ex. “Context.identity” is null).
I need it so when an user want to see its data I’ll call the GET method which filters only that user’s data and retrieves it.
Anyone could please explain if this is the correct way to do it and what I’m missing, or if there’s an easier way to build this?
I'm trying to create an external API using AWS API Gateway that will give users access to data stored in multiple databases. The APIs will mostly be accessed through scripts rather than through a web UI.
Are there any AWS services I can use to manage user access to my API?
I've read a little bit about Amazon Cognito and OAuth 2 but at a glance it seems like those might be more targeted towards cases with a UI for users to interact with. Is there a way to create and manage API keys with AWS?
Thanks in advance for your help!
You can use API Gateway Lambda Authorizer to write your custom login integration. For example a lambda that check in one Database if the user:password (passed as authorization header) exists in table in DynamoDB or SQL.
I've built an application which is connected with Amazon Cognito to take the sign in and sign-ups of users. Currently, application support three different subscriptions (Free, Basic, Premium). If the user signs in for basic Subscriptions, I want to give them least access to DynamoDB for download the parts of applications which is required to run the application service.
How to connect DynamoDB with Cognito directly
I am not sure, what's the best approach to follow this scenario?
(Please note- this is not a mobile-based application, so do not give suggestion to use AWS Amplify or relatable services)
When I was first learning about Cognito, I had made the same set of assumptions you are currently making. I knew that User Pools could act as my application's user directory, and Identity Pools would magically unlock all my authorization needs. I was mistaken :)
At the risk of oversimplifying, AWS Cognito exists to answer two questions:
Who are you? (authentication)
What can you do? (authorization)
Cognito addresses these concerns with two distinct offerings: User Pools (authentication) and Identity Pools (authorization).
At a high level, User Pools let you handle user registration, authentication, account recovery, and supports authentication with third-party identity providers like Facebook, Google, etc. Sounds like you might have this part figured out.
Cognito Identity Pools, on the other hand, provides a way to authorize users to use various AWS services. You can think of it as a vending machine for handing out AWS credentials. For example, if you needed to give your users access to upload a file to an S3 bucket or to invoke an endpoint in API Gateway, you could do so with an Identity Pool. You can even allow item-level access to DynamoDB based on an Amazon Cognito ID. However, this might not work the way you expect since your application users are probably not directly connecting to DynamoDB.
In most web/mobile applications, users are not connecting directly to DynamoDB. Instead, they are interacting with a web/mobile app that communicates to the back-end of your application via an API. That API would then communicate with DynamoDB. If your stack is in AWS, the path may look something like this:
Client (web/mobile app) <-> API Gateway <-> Lambda <-> DynamoDB
In this architecture, your users would authenticate via Cognito. Cognito would then authorize the user to make calls to API Gateway. API Gateway would execute your lambda, which would then interact with DynamoDB. The "user" of DynamoDB in this example is your Lambda, not the user of your application.
That last bit is important, so I'll repeat it: Unless your users are directly connecting to DynamoDB (not recommended), they are not the "user" operating on DynamoDb. Therefore, restricting DynamoDB access based on a user's Cognito ID is not going to be an option for you.
So, what can you do? Your application needs to provide the business logic around what effect your users can have on DynamoDB. Perhaps free users have read-only access to a specific partition, while premium users can modify the same partition. That logic has to be handled directly by you.
I know you said you weren't looking for Amplify suggestions since your application is not mobile-based. However, Amplify offers SDKs that aren't specific to mobile development. The folks at Serverless have made a fantastic tutorial on building a full-stack serverless web app, which includes a very readable chapter on serverless auth with Cognito. They use Amplify in a web app to integrate with Cognito, S3, and API Gateway. If that's something you are trying to do, I'd recommend checking it out.
Currently I'm developing a Desktop C# based-app using the OAuth 2.0 protocol for authorization. So I'm getting the Client Access and the Refresh Token without any problem.
So, the OAuth 2.0 is saying that we need the Access-Token to retrieve the data from my services. However after reading the Amazon Documentation about it, I'm completely confused because they are using another way of doing it(Access-keys), Generating Access-Keys and temporary Keys and other ways.
Why do we need then the Access-Token?
Is there any another way of doing it, using the Access-Token and without having to deal with the amazon SDKs??
Thanks
You are right that, there are other ways of calling AWS services, i.e Access-keys etc. It is upto you on how you want to use Cognito. You can use it for either of the following:
Authentication only -> verify the user is indeed who they identify themselves to be. You can do this by simply checking whether Cognito provided tokens. After that you can ignore the tokens in your application and proceed with the normal way of accessing AWS resources.
The other option is Authorization -> this is more than just authentication. This is better suited in scenarios when not all users of your application have the same kind of privilege. Maybe some users can access data in a S3 bucket, while other users cannot, etc. For this purpose, you need to set up IAM Roles and policies and have your application to use the access tokens instead of keys. If you have another way of handling authorization, then don't go for Cognito one.
We want to provide our API services through the Gcloud Endpoints. Our customers have to generate an API key in order to integrate our API into their project.
Is there a way to generate the Gcloud api key via an interface? How can I assign rights for an api key via an Gcloud-API?
Unfortunately, GCP currently has no API for programmatic provisioning / access of API Keys.
As mentioned by Andrew, currently it’s not possible to create or manage API keys programmatic or using gcloud, but there’s a request to add this functionality, you can track the progress of this request or post your comments on it, but keep in mind that there's no ETA or guarantee that it will be implemented.