Infrastructure as Code with AWS Cognito, Federated Identity, and Serverless
How to Use AWS Cognito with Serverless Framework
Amazon Cognito provides user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. It can scale up to millions of users and support sign-in with federated identities such as Google, Facebook, Apple Id, Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.
When we are configuring one item more than one time, there is the possibility of making an error or wrong configuration. To overcome this problem, there is one solution that is, Infrastructure as Code (IaC). Serverless Framework is an Infrastructure as Code tool. We just need to write code for cloud resources and provide it on your behalf by using it.
We can develop, deploy, troubleshoot, and secure your serverless applications with radically less overhead and cost by using the Serverless Framework. The Serverless Framework consists of an open-source CLI and a hosted dashboard. Together, they provide you with full serverless application lifecycle management.
Before proceeding, there are few prerequisites, those you need to follow.
Prerequisites
- You must have installed node and npm on your machine. Install
- You must have installed a serverless framework on your machine. Install
Code Repository
Clone the Git Repository from here, and run the below command.
npm install
Simple Architecture
Here, in architecture first, our application will request in Amazon Cognito. Then, Amazon Cognito authenticates users via Cognito User Pool as well as Federated Identity provider Google. After this, Cognito will trigger the Custom Verification Email lambda function for Custom email. Once the user is verified, then Cognito will trigger Confirm Signup User lambda function. That function will store user data such as User ID, User Name, Email, Created Date and Time, etc., in DynamoDB, just for the record.
Step — 1
Go to Google API and get a client ID and client Secret for Sign-in Google. To do that, refer to my below medium post, step — 1 only.
In this, just give little focus on Authorized JavaScript origins and Authorized redirect URIs.
Authorized JavaScript origins: https://yourDomainPrefix.auth.region.amazoncognito.com
Authorized redirect URIs: https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse
Here, yourDomainPrefix is a Cognito domain that you will add to the config file.
Now, get Google Client ID and Google Client Secret from the Google Cloud console and store them in notepad for future use.
Step — 2
Go to Parameter Store or AWS System Manager, and create Parameter.
For Client ID, parameter name should be like below, and Type must be String
,
/stack-stage/cognito/federated-identity/google/client-id
For Client Secret parameter name should be like below, and Type also must be String
,
/stack-stage/cognito/federated-identity/google/client-secret
Here, the Parameter type is
String
, because Cognito Federated Identity does not supportssm-secure
dynamic reference pattern type. More Details.
Step — 3
config.stage.json file, change file name according to your stage.
Here, the Callback URL and Logout URL are without https://
, e.g., xyz.com
Step — 4(Optional)
As I told you in the Architecture explanation, Cognito will trigger the Custom Verification Email lambda function to send custom emails to your users for verification. Here I have used a simple email template that is made in HTML only. But, of course, you can create your own template and style according to your requirements.
In the above code, you need to change email_message
by your own email template and email_subject
according to requirements, if you want.
Be careful, you need to write
{name}
,{email}
,{link}
in your own template, to understand it look above code carefully.
Step — 5
To deploy the serverless framework on AWS, run the below command from the root of that repository.
serverless deploy
The above command will deploy the stack in the us-east-1 region, and the stacking stage will be dev. If you want to deploy a specific region with a specific stack stage, run the below command and replace the region and stack stage value.
serverless deploy --region <aws-region> --stage <stack-stage>
Step — 6
Once the entire stack is deployed successfully, one file will create in the root folder with output-stack.yml
the name. That file contains all important links such as Cognito sign-in, Cognito sign-up, User Pool domain, etc.
Those are all necessary outputs you can use in your front-end.
For any query, contact me on linked or portfolio.
LinkedIn: https://www.linkedin.com/in/parth-trambadiya/
Portfolio: https://parthtrambadiya.me