My team has built a Serverless Web Application in AWS using Cognito User Pools for allowing users to register on the site and authenticate to it. We are now needing to move this application into a GovCloud (US) region, which does not support the Cognito Service.
1) Is it possible to host Cognito in another region and still use it to authenticate access to the API gateway inside a GovCloud region?
2) If no on #1, what is a good alternative that IS available in GovCloud regions for user sign-up and auth?
Just yesterday, May 13 2020 Amazon announced Cognito availability in GovCloud
https://aws.amazon.com/about-aws/whats-new/2020/05/amazon-cognito-is-now-available-in-the-aws-govcloud-us-west-region/
Not all the features of Cognito are available, like for example Authorizers for API Gateway, so YMMV.
Related
We are migrating an application from AWS to GCP. In AWS, we use Cognito service for maintaining different types of users inside userpools (for example: SSO users has different userpool and users with email and password are configured in different userpool, for MFA users, they have different user pool) In AWS Cognito, we also leverage certain functionalities like appclient id and secret for generating JWT tokens and authorizer lambda in pre-sign up trigger)
How can we achieve the above implementation in GCP?
Google Identity platform looks like amazon Cognito.
You can use Firebase Authentication as a equivalent of Amazon Cognito. This table provides a comparison between Amazon Cognito and Firebase Authentication.
I have two services, sitting in two separate regions on their own, that have the same authentification solution, with AWS Cognito and each of those instances has federated in their user pool, the same identity provider.
In front of the application, there is an API Gateway, that should grant access to the desired service.
The user could have the following scenario: goes to authenticate in region1, gets his token, and then the API Gateway from region1 will permit his access based on it. Can this token be used to access a service in region2?
Assuming Cognito is configured in region1, if you set the Cognito pool from region1 as authorizer for the API Gateway in region2, that should allow this API Gateway to authenticate users in Cognito. It also works cross-account.
Hopefully the docs help: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
I am currently investigating the use of Federated Identities and from the many examples I have read, it seems to be a way to grant users temporary credentials to various AWS services. For my case, the API Gateway is all that the user will interact with, since the API server is the one making calls to other services like S3 and DynamoDB. I like how permissions are controlled using IAM, but I'm failing to see any other appeals of Federated Identities. User Pools itself already supports password/fb/google/etc sign in, the only downside I see with user pools is that I'll need to do the authorization manually in the API layer. Is there something else I am missing with Federated Identities? Is it worth it given my use of only API Gateways (externally).
It all depends on the way that you will secure your API Gateway endpoint.
If you secure your API using AWS IAM, you'll need a way to convert your authentication tokens in AWS IAM Roles. For that scenario you can use AWS Cognito Idp (not the User Pool) or AWS Federated Identities. The difference is: using AWS IAM Federated Identities you will need to call AWS STS AssumeRoleWithWebIdentity in your frontend code. If you use AWS Cognito Idp this is done for you. . (AWS strongly suggest that you use the Cognito Idp in that scenario)
If you secure your API using AWS Cognito User Pools you don't need to use AWS Federated Identities. You can connect API Gateway directly to AWS Cognito and the service will enforce the controls for you. In that case you'll need to have a Cognito User Pool.
You also have a choice to use Custom Authorizers. In that scenario you will implement a lambda function that will evaluate your request and decide if it is authorized or not. In the same way, you won't need federated identities.
And finally you have the API Key authorization, that you already mentioned that is not applicable to your use case.
My question is about AWS Cognito Security Services- can AWS Cognito be used for any resources outside AWS Cloud e.g an API developed published on Apigeea API Gateway?
I searched through AWS Documents and on Google
I want to create SSO with AWS Cognito like SAML-based SSO federation where Resources/ Services can be anywhere.
Yes, You can. Kindly see the App Clinet option in Cognito.
However, Apigee also needs to have the capability to integrate.
I want to execute APIs hosted on AWS API gateway using identity I created from Cognito federated identities with Cognito user pool as provider. Basically option 2 in this blog here Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User Pools, and Amazon API Gateway
Now I have the federated identity credentials but stuck on how to actually execute the API. There does not seem to be such an API in the AWS JS SDK for API gateway. Does that mean the only way to do this is to create the SigV4 myself & call it like any other HTTP API?
Any suggestions/easier solution?
Thanks.
Finally, did this use AWS sign web library from https://github.com/danieljoos/aws-sign-web. It does the job.