I want to use Cognito for authentification and s3 to store files (images) for a new app (ionic 3). But AWS isn't simple to use and as soon as I start doing something, I need to read another doc somewhere and end up with 15 tabs of documentation open. With twice as many questions.
Do I need a server (nodejs on EC2), lambda (??) or everything can be serverless (direct access to Cognito and s3)? I wish to implement a subscription system at some point.
The user should have access to a list of images (like an infographic) only if he is subscribed. The app is aimed to be deployed on Play store and iOS.
Does the user (mail/password) exist ?
Is he subscribed (monthly) ?
access to the database (read-only)
Based on the app features that you provided, you can use the following:
AWS Cognito for user authentication
AWS API Gateway and AWS Lambda for your backend REST (or GraphQL) API
AWS DynamoDB for database (or Amazon RDS if you want to use an SQL database)
AWS S3 for image storage
If your app is really basic, I think you can even skip 2 and 3.
Related
I was wondering if anyone could advise the "best" (I know that's subjective, but meaning "best" as in least amount of work/steps) to trigger sending an E-mail from Amazon AWS. The Message body with contain dynamic variables/data from my App (Spring boot) so I will have to wire that in somehow, and it should be triggered from within my Application whenever it finishes processing some data, since my app reads .CSV data.
I cannot use JavaMail/Jakarta to send e-mail from within app as all Containers I have have blocked ports
Preferably using some type of AWS service since I'm already hosting this app on AWS ECS cluster
I would like to do it programmatically:
AWS provides Amazon Simple Email Service (SES) which is:
is an email platform that provides an easy, cost-effective way for you to send and receive email using your own email addresses and domains.
To use that, you would add SES permissions to your ECS tasks role. This way, you don't need to hard-code any AWS credentials into your application, as they will be automatically obtained by AWS SDK when interacting with SES.
AWS also provides AWS SDK for java. Using the SDK you can send emails using SES as shown in the example Send an email using the AWS SDK for Java.
If you want to send an email from a Spring Boot app, then use the Simple Email Service Java V2 API. There is an AWS Java V2 tutorial that shows how to build a Spring BOOT app that uses various AWS Services to analyze photos located in an Amazon S3 bucket. This app uses the SES Java V2 API to send a report that contains the details of the Amazon Rekognition service that analyzes the photos.
I'm trying to create an external API using AWS API Gateway that will give users access to data stored in multiple databases. The APIs will mostly be accessed through scripts rather than through a web UI.
Are there any AWS services I can use to manage user access to my API?
I've read a little bit about Amazon Cognito and OAuth 2 but at a glance it seems like those might be more targeted towards cases with a UI for users to interact with. Is there a way to create and manage API keys with AWS?
Thanks in advance for your help!
You can use API Gateway Lambda Authorizer to write your custom login integration. For example a lambda that check in one Database if the user:password (passed as authorization header) exists in table in DynamoDB or SQL.
I've built an application which is connected with Amazon Cognito to take the sign in and sign-ups of users. Currently, application support three different subscriptions (Free, Basic, Premium). If the user signs in for basic Subscriptions, I want to give them least access to DynamoDB for download the parts of applications which is required to run the application service.
How to connect DynamoDB with Cognito directly
I am not sure, what's the best approach to follow this scenario?
(Please note- this is not a mobile-based application, so do not give suggestion to use AWS Amplify or relatable services)
When I was first learning about Cognito, I had made the same set of assumptions you are currently making. I knew that User Pools could act as my application's user directory, and Identity Pools would magically unlock all my authorization needs. I was mistaken :)
At the risk of oversimplifying, AWS Cognito exists to answer two questions:
Who are you? (authentication)
What can you do? (authorization)
Cognito addresses these concerns with two distinct offerings: User Pools (authentication) and Identity Pools (authorization).
At a high level, User Pools let you handle user registration, authentication, account recovery, and supports authentication with third-party identity providers like Facebook, Google, etc. Sounds like you might have this part figured out.
Cognito Identity Pools, on the other hand, provides a way to authorize users to use various AWS services. You can think of it as a vending machine for handing out AWS credentials. For example, if you needed to give your users access to upload a file to an S3 bucket or to invoke an endpoint in API Gateway, you could do so with an Identity Pool. You can even allow item-level access to DynamoDB based on an Amazon Cognito ID. However, this might not work the way you expect since your application users are probably not directly connecting to DynamoDB.
In most web/mobile applications, users are not connecting directly to DynamoDB. Instead, they are interacting with a web/mobile app that communicates to the back-end of your application via an API. That API would then communicate with DynamoDB. If your stack is in AWS, the path may look something like this:
Client (web/mobile app) <-> API Gateway <-> Lambda <-> DynamoDB
In this architecture, your users would authenticate via Cognito. Cognito would then authorize the user to make calls to API Gateway. API Gateway would execute your lambda, which would then interact with DynamoDB. The "user" of DynamoDB in this example is your Lambda, not the user of your application.
That last bit is important, so I'll repeat it: Unless your users are directly connecting to DynamoDB (not recommended), they are not the "user" operating on DynamoDb. Therefore, restricting DynamoDB access based on a user's Cognito ID is not going to be an option for you.
So, what can you do? Your application needs to provide the business logic around what effect your users can have on DynamoDB. Perhaps free users have read-only access to a specific partition, while premium users can modify the same partition. That logic has to be handled directly by you.
I know you said you weren't looking for Amplify suggestions since your application is not mobile-based. However, Amplify offers SDKs that aren't specific to mobile development. The folks at Serverless have made a fantastic tutorial on building a full-stack serverless web app, which includes a very readable chapter on serverless auth with Cognito. They use Amplify in a web app to integrate with Cognito, S3, and API Gateway. If that's something you are trying to do, I'd recommend checking it out.
Sorry for doing this kind of question.. but I´m a bit lost here....
I have an app which consist in an Angular4 as frontend and Java app as Backend.
But I´m planning to use AWS Lambda as I´m interested after seeing the videos in Amazon.
The issue is that I don´t know how to get the best from AWS.
My Java app has a very time consuming task to process some images (which takes several seconds).
But I'm not sure if I can deploy all my app in Lambda, or if the idea is to use a EC2 server and then the specific task for the image processing in the lambda. Can anyone please shed some light here?
Also, the frontend app can be deploy in a lambda, or again, lambda is just for specific task?
EDIT:
The application flow would be:
The user in the angular app upload an image, the image goes to the backend server in Java and it´s stored in (maybe) a AWS bucket.. Then the Java app with imagemagick process the image and the result is store in (maybe) another bucket.
So the question is when I need to use Lambda? just to convert the image or if the full backend (and maybe frontend) app would be there?<
I'm asking because I cannot find enough information about that...
First of all you can deploy your Angular frontend to Amazon S3. Also you can use AWS CloudFront to add custom domains and free SSL certificates from Amazon using Amazon Certificate Manager for your domain. For more details refer the article Deploying Angular/React Apps in AWS.
If you don't need to show tge image processing results immediately in frontend
For the image processing backend you can use AWS API Gateway and Lambda along with S3. For this recommended flow is you can use the API Backend to get an Signed URL or AWS STS in Lambda (Or Use Cognito Federated Identities) to get temporary access to Amazon S3 Bucket to Upload the image directly to S3 from Angular App. For more details on this refer the article Upload files Securely to AWS S3 Directly from Browser.
Note: AWS recently released a JavaScript Library called AWS Amplify to simplify the implementation of the above tasks.
After Uploading the image to S3 you can setup an event driven workflow by using Amazon S3 triggers to invoke an Lambda function to perform the image processing and save the process image back to S3 (If you need to store the result).
If you need to show the result immediately
Still use tge previous approach upto Upload to S3 from frontend and then invoke an API Gateway Lambda function passing the file path in S3 to process the image.
To understand the details in connecting both frontend and backend with AWS serverless technologies refer the article Full Stack Serverless Web Apps with AWS.
As a side note, you should be able to implement the required functionality with AWS Lambda without using AWS EC2.
I have a rails 3.2 server, Android App, our own API and AWS Cognito. Our backend is using PostgreSQL. How do I save the datasets created in cognito sync to our database? Should I listen for the callback of cognito sync's success then save the data using our API? or should I use the aws-sdk at the rails server to get the dataset? I don't want the android app to talk directly to RDS and S3.
I think you could use Cognito Events for that: You can set up an Amazon Lambda function that will trigger every time a dataset is updated so you can implement your own logic there.
Cognito Streams would also work, and might be faster because it's async: it makes every dataset update be written to a Kinesis stream, and then you can make your backend consume from that stream.
Updated as above link was not working.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-events.html
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-streams.html
AWS AppSync simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data sources. AppSync is a managed service that uses GraphQL to make it easy for applications to get exactly the data they need.
If you're new to Amazon Cognito Sync, use AWS AppSync. Like Amazon
Cognito Sync, AWS AppSync is a service for synchronizing application
data across devices.
A single GraphQL API to deliver private and public data. Private data requires authenticated access using authorization mechanisms such as IAM, Amazon Cognito User Pools, and OIDC. Public data does not require authenticated access and is delivered through authorization mechanisms such as API Keys.
https://aws.amazon.com//appsync/
You can use aws-amplify to sync
https://aws-amplify.github.io/docs/js/api
https://forums.aws.amazon.com/message.jspa?messageID=918861
https://aws.amazon.com/blogs/mobile/using-multiple-authorization-types-with-aws-appsync-graphql-apis/
https://medium.com/open-graphql/authenticating-an-aws-appsync-graphql-api-with-auth0-48835691810a
https://hackernoon.com/aws-appsync-queries-and-mutations-with-lambda-2aee303c66b0