I would like to move an API from Django server on ec2 to serverless (AWS API gateway + Lambda) because of better scalability. I need authentication/authorization for this API against my Django user pool, but that would mean polling Django server because of auth.. and I am back where I was regarding scalability.
What would be my option to deal with it in a scalable (lambda like scalable) way?
I was thinking about creating Cognito user pool and duplicate users from Django there.
Is there a better option?
Related
I've built an application which is connected with Amazon Cognito to take the sign in and sign-ups of users. Currently, application support three different subscriptions (Free, Basic, Premium). If the user signs in for basic Subscriptions, I want to give them least access to DynamoDB for download the parts of applications which is required to run the application service.
How to connect DynamoDB with Cognito directly
I am not sure, what's the best approach to follow this scenario?
(Please note- this is not a mobile-based application, so do not give suggestion to use AWS Amplify or relatable services)
When I was first learning about Cognito, I had made the same set of assumptions you are currently making. I knew that User Pools could act as my application's user directory, and Identity Pools would magically unlock all my authorization needs. I was mistaken :)
At the risk of oversimplifying, AWS Cognito exists to answer two questions:
Who are you? (authentication)
What can you do? (authorization)
Cognito addresses these concerns with two distinct offerings: User Pools (authentication) and Identity Pools (authorization).
At a high level, User Pools let you handle user registration, authentication, account recovery, and supports authentication with third-party identity providers like Facebook, Google, etc. Sounds like you might have this part figured out.
Cognito Identity Pools, on the other hand, provides a way to authorize users to use various AWS services. You can think of it as a vending machine for handing out AWS credentials. For example, if you needed to give your users access to upload a file to an S3 bucket or to invoke an endpoint in API Gateway, you could do so with an Identity Pool. You can even allow item-level access to DynamoDB based on an Amazon Cognito ID. However, this might not work the way you expect since your application users are probably not directly connecting to DynamoDB.
In most web/mobile applications, users are not connecting directly to DynamoDB. Instead, they are interacting with a web/mobile app that communicates to the back-end of your application via an API. That API would then communicate with DynamoDB. If your stack is in AWS, the path may look something like this:
Client (web/mobile app) <-> API Gateway <-> Lambda <-> DynamoDB
In this architecture, your users would authenticate via Cognito. Cognito would then authorize the user to make calls to API Gateway. API Gateway would execute your lambda, which would then interact with DynamoDB. The "user" of DynamoDB in this example is your Lambda, not the user of your application.
That last bit is important, so I'll repeat it: Unless your users are directly connecting to DynamoDB (not recommended), they are not the "user" operating on DynamoDb. Therefore, restricting DynamoDB access based on a user's Cognito ID is not going to be an option for you.
So, what can you do? Your application needs to provide the business logic around what effect your users can have on DynamoDB. Perhaps free users have read-only access to a specific partition, while premium users can modify the same partition. That logic has to be handled directly by you.
I know you said you weren't looking for Amplify suggestions since your application is not mobile-based. However, Amplify offers SDKs that aren't specific to mobile development. The folks at Serverless have made a fantastic tutorial on building a full-stack serverless web app, which includes a very readable chapter on serverless auth with Cognito. They use Amplify in a web app to integrate with Cognito, S3, and API Gateway. If that's something you are trying to do, I'd recommend checking it out.
I have an app hosted in a DigitalOcean server that is only used by me. Now I would like to give access to some friends, so I need users authentication management.
I have read AWS Cognito is a good option however it is not clear to me if it is possible to implement only AWS Cognito to work in joint cooperation with other services or if I need to migrate all to AWS to be able to use Cognito. I’ve been looking for tutorials but all talk about using Cognito in addition to other AWS services.
The point is that I’m using a Postgres DB and looking at AWS prices it is expensive to me to migrate to AWS. In case it is to do what I would like, I really appreciate recommended lectures.
Thanks in advance.
I need users authentication management.
I have read AWS Cognito is a good option
Indeed the AWS Cognito is a good option for user authentication and authorization. If you have a web app, you may as well check out the AWS amplify framework for easier onboarding.
if it is possible to implement only AWS Cognito
You don't need to use any other AWS services or migrate your infrastructure. Your application can use Cognito indepently.
You can use Cognito even as a pure OAuth 2.0 based authentication and authorization service if you want to keep really independent.
all talk about using Cognito in addition to other AWS services
Cognito can provide its users session (temporary) aws credentials to use AWS services. You don't have to use the feature if you don't need to.
I am developing a react native mobile app and using server side API for managing user related data (backend). Currently I am using AWS cognito for supporting user signup/signin and all the user details are seems to be saved in AWS user pool.
I want to store auth token and user details on my server side, so that I can use this details to fetch user related data. So, I want the following approach to implement
Request:
Mobile App UI -> Server API (backend) -> AWS cognito
Response:
AWS cognito -> Server API (backend) -> Mobile App UI
Is this possible? If not what would be the best approach.
Quick Response
If you are running Springboot in an EC2 instance you can asign a role to that EC2 instance with enought permissions and get data directly from your server app as an Administrator, i mean, using the SDK you can call AWS API requests just with that role, so you can retrieve the user data for all your users.
Other options
I think AWs has some services that make it easy to have this approach.
You can use Amazon Cognito Identity Provider to get credentials for an user and directly in the app you can call for example dynamoDB queries (etc) or you can do AWS API Gateway requests that are executed if the requests have valid credentials, this way you can call Lambdas and make some proccesing. If you need more details you should send more info to know the target of your app and make a better recommendation. Regards,
I have an ASP.NET web api running on a Windows EC2 instance together with DynamoDB data layer. I've been looking for alternative choices on aws to secure my web api.
For that purpose, I read AWS STS and API Gateway docs. API Gateway is the first choice but I wouldn't like to use it because it forces me to learn node.js.
Cognito seems the best choice for me because it will also handle both mobil and web users. I know that Cognito also provide security on aws resources.
My question is:
Is it possible to secure Web APIs running on EC2 instances without using security tokens. Can cognito control all incoming API calls without need any additional security steps?
Thanks
I am building an SPA with Django REST as the backend. Right now I am using the standard Django authentication system and User models.
I would like the JS running on the SPA to be able to insert messages into an AWS SQS (i.e. sendMessage).
AWS has these doc on calling sendMessage from JS in the browser.
They also provide these docs on how to authenticate the user. My thought right now is to use Amazon Cognito. From the FAQ:
Q: What if I register and authenticate my own users?
Amazon Cognito can integrate with your existing identity system. With
a simple API call you can retrieve a Cognito ID for your end users
based on your own unique identifier for your users. Once you have
retrieved the Cognito ID and OpenID Token Cognito provides, you can
use the Cognito client SDK to access AWS resources and synchronize
user data.
Am I correct that for this to work, I would need to:
Create an IAM user for each user in my system. Or do I just need one IAM role?
When the user logins in my site (Django backend), I would have my backend then make "a simple API call [to] retrieve a Cognito ID"
Send that Cognito ID when the user loads the SPA.
User the Cognito ID from the JS running in the browser to call sendMessage to the SQS queue
Am I missing something here? Is there someway to remove the Django User backend and just user IAM Users so that I can avoid having to keep the two users lists in sync? I found this project but it does not seem to be maintained.
UPDATE:
It seems that there might be an alternative method of doing this where I don't use Cognito at all but rather expose an endpoint that can sign requests, "Query Request Authentication". This Heroku page talks a little about building a signing service.
Is this in fact an alternative option and if so what are the pro/cons of these approaches?
Amazon Cognito does not require you to register IAM users, just the 2 IAM roles. A slight modification to what you would need to do:
Create an Amazon Cognito Identity pool, configure with your developer provider.
Update the IAM roles associated with your pool to allow access to the services you want (for instance SQS).
From your Django backend, call GetOpenIdTokenForDeveloperIdentity to get the OpenId Connect token and identity Id for this user, return this to your JS application.
Configure your CognitoCredentials in the JS SDK. In the logins map, use the key cognito-identity.amazonaws.com and the value as the token returned from your Django backend.
Use the JS SDK to call SQS or any other services you wish from your application.
While using pre-signed URLs for SQS can work, using Cognito with the JS SDK will allow you to leverage other services supported by the SDK (DynamoDB, SNS, S3, etc).