---
title: '21 Amazon Cognito'
disqus: hackmd
---
:::info
AWS Certified Developer Associate DVA-C01
:::
21 Amazon Cognito
===
<style>
img{
/* border: 2px solid red; */
margin-left: auto;
margin-right: auto;
width: 90%;
display: block;
}
</style>
## Table of Contents
[TOC]
Amazon Cognito
---
- used to give users an identity so they can interact with our app
- not iam users but users outside of your cloud
- cognito user pools
- sign in functionality for app users
- integrate with api gateway and alb
- cognito identity pools (federated identity)
- provide aws credentials to users to they can access aws res directly
- integrate with cognito user pools as identity provider
- cognito sync
- sync data from mobile device to cognito
- is deprecated and replaced by AppSync
- cognito vs iam
- for hundreds of users, mobile users or auth with SAML
- iam for users u trust within your aws env
- cognito for all other outsider users
### Cognito User Pools
#### User Features
- way to create serverless db of users for your web and mobile apps
- users can do
- simple login
- username or email
- password
- password reset
- email and phone number verification
- mfa
- federated identities
- users from fb, google, SAML etc.
- feature
- block users if their credentials compromised elsewhere
- aws scans web for compromised credentials
- login sends back json web token (jwt)
- cognito has own db of users that we can see
- apps login against cognito user pool
- returns jwt when login success
- can also do federation through 3rd party identity providers
- social identity provider
- google or fb etc.
- or more specific identity providers
- eg. SAML, OpenID Connect
#### Integrations
- cup (cognito user pools) integrates with api gateway and alb natively
- user auth with cup and get jwt token
- pass token to api gateway
- api gateway evaluates token with cognito
- allow access to backend
- can also use alb + listeners and rules
- auth users against cup
- once done forward users to backend in target grp
- which can consist of ec2 instances, lambda funcs, ecs containers etc.
#### Lambda Triggers
- cup can invoke lambda func synchronously on these triggers
- https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
#### Hosted Auth UI
- cognito has hosted auth ui that u can add to app to handle signup and signin workflows
- using hosted ui, have foundation for integration with social logins
- OIDC or SAML
- can customise with a custom logo and custom css
### Cognito Identity Pools (Federated Identities)
- get identities for users so they obtain temp aws creds
- your identity pool can include
- public providers
- eg. login with amazon, fb, google, apple etc.
- users in amazon cup
- openid connect providers and SAML identity providers
- developer authenticated identities
- eg. custom login server
- unauthenticated guest access
- yes identity pools allows this
- users then access aws services directly or through api gateway
- iam policies applied to creds defined in cognito
- can be customised based on user_id for fine grained control
#### Example
- want to allow web/mobile apps to get aws creds but dw to create iam user
- leverage cognito identity pools
- user first connects to cognito user pool or 3rd pt auth server
- talk to identity pool service to exchange the token for temp aws creds
- identity pool first verifies login with provider
- once validated, talk to STS (security token service) service to get temp creds for the user
- creds returned to user
- can access aws services using the creds and associated iam policy
#### Example with CUP
- want user identity to be stored in cup
- user login and get token from cup so all users centralised in cup db
- can also enable federated identity providers for cup
- webapp then exchanges token from cup with cip for creds
- cip talk to sts service
- get creds and access to aws services
#### Identity Pools and IAM Roles
- default iam roles for authenticated and guest users
- define rules to choose role for ea user based on user's id
- can partition user's access using __policy variables__
- also customise user's policy
- iam creds obtained by cip through STS (security token service)
- roles must have trust policy of cip
#### CIP IAM Policy Example
__Guest Users__
- iam policy that allows any guest user to do get obj on a s3 bucket
__Policy Variable on S3__
- define policy var on our s3
- users are connected but only have access to a prefix in your s3 bucket that represents what the user's identity is
- 1st green rect - policy var
- allow user to only access within the bucket we've defined (which is anything that starts with the prefix of its user id)
__DynamoDB__
- allow user to do anything in dynamodb as long as the leading key corresponds to the user id of the user
- effectively achieving row-based security
### CUP vs CIP
- cognito user pools
- db of users for your web and mobile app
- allows federate logins through public social, OIDC, SAML etc.
- can customise hosted UI for auth
- includes logo
- has triggers with aws lambda during auth flow
- cognito identity pools
- obtain aws creds for your users
- users can login through public social, OIDC, SAML and cup
- users can be unauthenticated (guests)
- users mapped to iam roles and policies, can leverage policy vars
- CUP + CIP = manage user/pwd + access to aws services
### Cognito Sync
- deprecated - use aws appsync now
- is service to store preferences, config and state of app
- cross device sync
- any platform - ios, android etc.
- office capability
- sync when back online
- store data in dataset up to 1mb
- up to 20 datasets to sync
- push sync
- silently notify across all devices when identity data changes
- cognito stream
- stream data from cognito into kinesis
- cognito events
- execute lambda funcs in resp to events
### Console
- decide how users signin - email or phone?
- attrs cannot be changed once they selected
- set password policy
- mfa
- users can use number of mfa device to signin
- how to recover account
- attrs to verify
- give cognito role if want to send sms
- if send emails whr do we send them from
- need to create app client
- allow us to login into user pool
- go to app client settings on sidebar
- define how we login into app - use cup
- provide callback url
- is url we get redirected to if login successful
- can tick all oauth settings
- hosted ui
- allow users to login through UI that cognito did for us
- shld have launch hosted ui button but it's not thr currently since we did not specify our domain name yet
- go to domain name from sidebar
- choose domain name
- can customise the ui from ui customisation in sidebar
- can also set custom logo
- user created from hosted ui
- can also create user manually
- go to identity providers from sidebar to do federated login
- need to provide extra configs for specific identity provider
- invoking lambda functions triggers from trigger tab in sidebar
- invoke funcs based on certain cognito events
- 10 triggers total
#### Cognito Identity Pools
- click on federated identities to switch to cip
- option to allow guest users (unauth identities)
- has all listed providers and also direct integration with cup
- provide cup pool id and app client id
- get it from your cup console
- 2 iam roles
- one for auth and unauth identities
- need to download sdk for target platform
- get this from the sample code section in nav bar
- dashboard from navbar
- can see num of auth and guest users
- can search by identity id when users login
- 2 roles created
- are the roles we need to customise to decide what our authenticated/guest users have access to in aws
- edit identity pool with button on top right of console
- edit push sync
- if user made changes on one device, can silently be pushed to all other devices
- cognito streams
- allow us to push every dataset change in cognito into a kinesis stream in realtime
- enable realtime processing of these events
- cognito events
- run lambda funcs in resp to events in cognito
###### tags: `AWS Developer Associate` `Notes`
Sign in with Wallet
Connect another wallet