Open in app

Sign up

Sign in

Write

Sign up

Sign in

Infrastructure as Code with AWS Cognito, Federated Identity, and Serverless

How to Use AWS Cognito with Serverless Framework

Parth Trambadiya
Enlear Academy

--

Amazon Cognito provides user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. It can scale up to millions of users and support sign-in with federated identities such as Google, Facebook, Apple Id, Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

When we are configuring one item more than one time, there is the possibility of making an error or wrong configuration. To overcome this problem, there is one solution that is, Infrastructure as Code (IaC). Serverless Framework is an Infrastructure as Code tool. We just need to write code for cloud resources and provide it on your behalf by using it.

We can develop, deploy, troubleshoot, and secure your serverless applications with radically less overhead and cost by using the Serverless Framework. The Serverless Framework consists of an open-source CLI and a hosted dashboard. Together, they provide you with full serverless application lifecycle management.

Before proceeding, there are few prerequisites, those you need to follow.

Prerequisites

  • You must have installed node and npm on your machine. Install
  • You must have installed a serverless framework on your machine. Install

Code Repository

GitHub - ParthTrambadiya/congito-iac-sf: Cognito Authentication System with Federated Identity in…

github.com

Clone the Git Repository from here, and run the below command.

npm install

Simple Architecture

Architecture

Here, in architecture first, our application will request in Amazon Cognito. Then, Amazon Cognito authenticates users via Cognito User Pool as well as Federated Identity provider Google. After this, Cognito will trigger the Custom Verification Email lambda function for Custom email. Once the user is verified, then Cognito will trigger Confirm Signup User lambda function. That function will store user data such as User ID, User Name, Email, Created Date and Time, etc., in DynamoDB, just for the record.

Step — 1

Go to Google API and get a client ID and client Secret for Sign-in Google. To do that, refer to my below medium post, step — 1 only.

Set Google As a Federated Identity Provider in Amazon Cognito

Amazon Cognito user pools allow sign-in through a third party (federation), including through a social IdP such as…

aws.plainenglish.io

In this, just give little focus on Authorized JavaScript origins and Authorized redirect URIs.

Authorized JavaScript origins: https://yourDomainPrefix.auth.region.amazoncognito.com

Authorized redirect URIs: https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse

Here, yourDomainPrefix is a Cognito domain that you will add to the config file.

Now, get Google Client ID and Google Client Secret from the Google Cloud console and store them in notepad for future use.

Step — 2

Go to Parameter Store or AWS System Manager, and create Parameter.

For Client ID, parameter name should be like below, and Type must be String,

/stack-stage/cognito/federated-identity/google/client-id

For Client Secret parameter name should be like below, and Type also must be String ,

/stack-stage/cognito/federated-identity/google/client-secret

Here, the Parameter type is String , because Cognito Federated Identity does not support ssm-secure dynamic reference pattern type. More Details.

Step — 3

config.stage.json file, change file name according to your stage.

Here, the Callback URL and Logout URL are without https:// , e.g., xyz.com

Step — 4(Optional)

As I told you in the Architecture explanation, Cognito will trigger the Custom Verification Email lambda function to send custom emails to your users for verification. Here I have used a simple email template that is made in HTML only. But, of course, you can create your own template and style according to your requirements.

In the above code, you need to change email_message by your own email template and email_subject according to requirements, if you want.

Be careful, you need to write {name} , {email} , {link} in your own template, to understand it look above code carefully.

Step — 5

To deploy the serverless framework on AWS, run the below command from the root of that repository.

serverless deploy

The above command will deploy the stack in the us-east-1 region, and the stacking stage will be dev. If you want to deploy a specific region with a specific stack stage, run the below command and replace the region and stack stage value.

serverless deploy --region <aws-region> --stage <stack-stage>

Step — 6

Once the entire stack is deployed successfully, one file will create in the root folder with output-stack.yml the name. That file contains all important links such as Cognito sign-in, Cognito sign-up, User Pool domain, etc.

Those are all necessary outputs you can use in your front-end.

For any query, contact me on linked or portfolio.

LinkedIn: https://www.linkedin.com/in/parth-trambadiya/

Portfolio: https://parthtrambadiya.me

Learn More

How to Build a Voice Assistant with React and Alan AI

Introduction to Alan AI — Creating a Voice Assistant with React

enlear.academy

Different Types of Open Source Licenses

What licenses should you choose?

enlear.academy

How to Use reduce() in JavaScript

Using reduce() with map(), sort(), filter() and reverse

enlear.academy

Cognito
Federated Identity
AWS
Serverless
Authentication

--

--

Parth Trambadiya
Enlear Academy
Follow

Written by Parth Trambadiya

95 Followers
Writer for

3X AWS | 1X Azure | 1X OCI Certified Cloud Enthusiast | DevOps | Solution Architect | Writer @ Enlear Academy | Writer @ AWS in Plain English

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams