AWS Cognito hooks from SDK - amazon-web-services

In depending on the user (from which provider coming and some another custom filed) I want to create different email templates for register/forgot password/change password/...
I know that is possible with AWS Lambda hooks in the AWS Cognito, but it is not a good solution in my case, because I have a lot of different templates.
Is it possible somehow to call some "hooks" or define that logic without Lambda?

Related

Is it possible to retrieve the Cognito verification code of a new user?

I've looked every where and couldn't find the answer.
I'm trying to create a user using adminCreateUser, which works.
But I would like to handle the email logic separately from Cognito. Is there a way to retrieve the verification code for that user so I can email it myself?
I've also tried looking at the signUp but I can't prevent emails through that.
You're in luck as at some point in the last year, cognito released the custom email sender trigger.
No big announcement, no console support and, contrary to cloudformation documentation, it is supported there or through the cli (or http api for that matter).
You can use customEmailSender trigger (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html) — however, at this stage, it can be painful to integrate.
It does not have proper support with Cloudformation or any infrastructure-as-code services (Serverless issue, AWS CDK issue etc.) — but it can be done through some custom resources in AWS CDK (see the linked issue).
Understandably, it is a matter of time before this can be done with high-level constructs through these services.

Authorizing access to specific resources

I'm trying to build a REST API using AWS API Gateway that calls into a bunch of Lambda functions.
I have now set up API Gateway to use a Cognito user pool as the authorizer, but all that's really doing is authenticating the user since I've attached the user pool to all the endpoints. I wasn't able to figure out how to specifically allow certain methods on certain endpoints.
For example, if my user is 123 and belongs to group ABC, I would only like them to be able to GET /users?group=ABC or PATCH /users/123.
Is it possible to achieve this level of control or do I need to implement those checks in the Lambda function that API Gateway calls?
I am developing a similar setup and I faced the exact same issue. My team could not find a solution to this, so we contacted an AWS solutions architect. Here is a summary of their approach to this problem.
Unfortunately there are no default built-in solutions to this specific problem. However you can use some alternative solutions.
It is possible to trigger Lambda functions during Cognito user pool workflows. You may use an extra Lambda function to authorize users by checking their user-group relationships.
Customizing User Pool Workflows with Lambda Triggers
You can use API Gateway Lambda authorizer. In this case you will have to give up the Cognito integration and apply your custom authorization logic inside the authorizer Lambda.
Use API Gateway Lambda authorizers
You can implement the authorization logic inside the lambda functions with an extra query by checking the user-group relationship. You can check the identity of the requesting (Cognito) user through requestContext.authorizer.claims.* in the Lambda event.
Hope this helps.
ofcourse yes u can do it. this will help you.. if u get stuck.. ping me back
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-custom-scopes-api-gateway/

Is there any way to hide AWS lambda code?

I want to publish my application and provide lambdas to other so that I want that on exporting the lambda package no one can get the lambda code.
You should create an API Gateway which will connect the application to your Lambda code. Give that API endpoint URL to the others and they will call your Lambda function through that. This way they cannot know what's going on in your Lambda code.
Ideal way is to use API gateway and use it as trigger for your Lambda and share that endpoint to the users.
However if you don't want that you should probably consider cross account access with cross account role (give permission to execute just the Lamnda you want to expose & setup trust relationship) . Let them assume this role and call this lambda.

Serverless - Options for communicating between services?

I have a few different services (generated by the Serverless Framework) that need to communicate between each other. The data is sensitive and requires authentication.
My current strategy is to create an api key for each service communicate between services using json web token like the token below.
fM61kaav8l3y_aLC/3ZZF7nlQGyYJsZVpLLiux5d84UnAoHOqLPu4dw3W7MiGwPiyN
What are some other options for communicating between services? Are there any downsides to this approach? To reiterate, the request needs to be authenticated and appropriately handle sensitive data.
Do you need sync or async communication?
A good approach would be to use events, because aws-lambda is designed as an event based system. So you could use SNS or SQS to decouple your services.
If you just want to make calls from one service to another you could invoke the lambda function directly via the aws-sdk see docs. So you would not add an API Gateways endpoint and your lambdas would stay private.
To better anwser your question you should give a short overview of your application and and an example of an interservice call you would make.
As I understand it, you intend to make the various functions in a given a service private. In doing so, each service will likely have serverless.yml file that resembles the following:
Image shows the setup for api keys used with a serverless framework rest api
While this is a suitable approach, it is less desirable than using ** Custom Authorizers**.
Custom Authorizers allow you to run an AWS Lambda Function before your targeted AWS Lambda Function. This is useful for Microservice Architectures or when you simply want to do some Authorization before running your business logic.
If you are familiar with the onEnter function when using ReactRouter, the logic among Custom Authorizers is similar.
Regarding implementation, since different services are leveraged to deploy various functions, consider deploying the function to AWS and noteing the ARN of the Lambda function. Follow these links to see the appropriate setup for the custom authorizer.
These images show the serverless.yml file for using custom authorizers when the authorizers are not part of the service but rather deployed on lambda already
The following github project aws-node-auth0-custom-authorizers-api/frontend is a good example of how to implement Custom Authorizers when the authorizer funciton is in the same service as the private function. Note your situation differs slightly yet you should expect their authorizer function logic to be simliar - only the project structure should differ

How should I use Cognito User Pool API inside Lambda function?

I have a Cognito User Pool, I know it can trigger Lambda functions but I need the inverse. I need to create user, and check if user with preferred username or alias exists in my lambda functions. Should I do it using Cognito REST API, if how is authentication performed? I could not find any similar implementations or examples in the web, I wonder if I am in the wrong way.
The AWS SDK is available to use in your Lambda function. You would use the Cognito features in the SDK to perform the actions you have described.