I have a dev and prod cognito pool, a dev/prod lambda function that pushes to a dev/prod dynamoDb table.
Is there a simple way to have it know when to use the prod credentials (pool id, etc), and when to use the dev credentials?
And same to do with firing the appropriate dev/prod API gateway apis that check the appropriate pools for authentication, and post to the appropriate dynamoDb tables? For now I just manually change the tokens, and in API Gateway, I manually switch out which cognito pool the API gateway authenticates and which tables they post to, which isn't very practical.
If you expose your lambda with API Gateway then just deploy it to two stages - a prod stage which calls the prod lambda which accesses prod Dynamodb & a dev stage which calls dev lambda. In your application, you would just need to change the stage name & you can do so by setting it from Info.plist.
Regarding how to get tokens for prod or dev automatically, it depends on how you get these tokens. For example, you could create a /login resource in API Gateway which takes username + password as parameters and returns tokens. Again, deploy it to two stages which use different Cognito pool in the backend calls. Now, you can use the same variable/property in your application to get the stage name for getting tokens too.
So, by just changing the value of one property you can switch between prod & dev in your app.
Related
My Azure App's client secret expiry was set to 3 months which has expired and the application has stopped. My questions are:
How can I get the new client secret to the same Azure App to
replace the new client secret in my NodeJS application?
Also is there a way to get a warning or message/mail before the client secret expire?
How to check the expiry of client credentials without using the Azure portal( that is by using REST requests if any)?
Screen Shot showing expiry in Azure portal. Can we get this expiry somehow by REST requests?
How to check the expiry of client credentials without using the Azure
portal( that is by using REST requests if any)?
You should be able to use Graph API to get this information. The operation you would want to invoke is List applications which will give you a list of application objects. The property you would want to check is passwordCredential for credential expiry.
Also is there a way to get a warning or message/mail before the client secret expire?
AFAIK, there is not an automated way to do this. I believe I read somewhere that Graph API team is working on it but there was no ETA provided for this by them. For now you have to roll out your own solution. You may write a timer-triggered Azure Function which runs daily. This Function can get the list of applications and filter out the applications credentials for which are expiring soon and take action on that.
How can I get the new client secret to the same Azure App to replace the new client secret in my NodeJS application?
Based on your comment, considering you are currently doing this process manually so I would assume you can continue to do so. Once you know that the secret is expiring soon, you can create a new application secret and at appropriate time replace the old secret with the new secret.
My current stack is like this:
User creates an account via AWS Cognito
A post confirmation lambda is triggered which then adds further user details to a database
My database uses the sub id generated by cognito as the userId so they are the same. I also copy the email address as the Username in my database. My intention is to use Cognito for Authentication and my own database for the functionality of my app.
However if the user wishes to update their email address I need to amend this in both cognito and my database. My first attempt made a call to cognito in my lambda using admin_update_user_attributes but soon realised it was blocked from making external calls to the internet, so i created a nat gateway which worked but it simply costs way too much!
My second idea was to go through cognito, having my front end make the call and then have cognito trigger a lambda to update my database but I don't think this is possible.
Is there a configuration or something I'm missing to be able to access AWS cognito via a lambda through the API gateway as they are both AWS services.
I dont want to make two seperate calls via my frontend as this creates a risk of one being completed but not the other.
Thanks
A NAT gateway will be needed if you have your Lambda function in a VPC as there are no Cognito VPC endpoints at this time.
List of currently supported AWS services with endpoints.
If you are using a DB like Dynamo, the Lambda function does not need to be in a VPC so you could achieve the usecase you mentioned above.
Another option could be to do the Cognito update asynchronously, so your Lambda could potentially use VPC endpoints to put an object in SQS and then have a Lambda poller (outside VPC) to poll the messages and update Cognito. Or achieve a similar usecase by making use of private API Gateways.
These are just potential ideas which I have not done myself.
I have a request to restrict the access (access control) to a small user community in GCP.
Let me explain the question.
This is the current set up:
A valid GCP Organization: MyOrganization.com (under which the GCP project is deployed / provisioned)
Cloud DNS (To configure domain names, A & TXT records, zones and subdomains to build the URL for the application).
Oauth client set up (tokens, authorized redirects URIs, etc.).
HTTPS load balancer (GKE -managed k8s service- with ingress service), SSL certificate and keys issued by a trusted CA.
The application was built using python + Django framework.
I have already deployed the application (GCP resources) and it is working smooth.
The thing is that, since we are working in GCP, all IAM users who has a valid userID#MyOrgnization.com can access the application (https://URL-for-my-Appl.com).
Now, I have a new request, which consists in restricting access (access control) to the application only for a small user community within that GCP organization.
For example, I need to ensure that only specific IAM users can access the application (https://URL-for-my-Appl.com), such as:
user1#MyOrganization.com
user2#MyOrganization.com
user3#MyOrganization.com
user4#MyOrganization.com
How could I do that, taking into account the info I sent earlier ?
thanks!
You can use Cloud IAP (Identity Aware Proxy) in order to do that.
Identity-Aware Proxy (IAP) lets you manage access to applications
running in App Engine standard environment, App Engine flexible
environment, Compute Engine, and GKE. IAP establishes a central
authorization layer for applications accessed by HTTPS, so you can
adopt an application-level access control model instead of using
network-level firewalls. When you turn on IAP, you must also use
signed headers or the App Engine standard environment Users API to
secure your app.
Note: you can configure it on your load balancer.
It's not clear in your question if your application uses google auth (but considering that you talk about org-restricted login I think so) - if that's the case you should be able to enable it without virtually touching anything in your application if you are using the Users API.
The best and easiest solution is to deploy IAP (Identity Aware Proxy) on your HTTPS Loadbalancer
Then, grant only the user that you want (or create a gsuite user group and grant it, it's often easier to manage)
I am using JHipster's Gateway and UAA to work with microservices, to create the Gateway without the frontend I used the jhipster -skip-client command, however to create the separate front end of the Gateway I created a new folder and executed the command jhipster --skip-server --auth oauth2 --db postgres --uaa-base-name uaa-server.
The frontend generated with the command fails to authenticate because it seems that it gets lost in the addresses and tries to make a direct access to the Gateway service that is not configured in the system, how can I generate the frontend so that it is equal to the generated frontend along with Gateway?
There are two separate issues here. First, when using UAA, the auth type should be uaa instead of oauth2. Second, the uaa-base-name needs to match the base name in the generated UAA server, which by default is uaa.
I am building and testing Lambda functions on my local pc. The Lambda's are exposed through SAM using the "sam local start-api" command and called through Javascript.
I have now set up a user pool on AWS Cognito (in the cloud). My app is correctly authenticating against the user pool. However, I would like now to pass user information to my Lambdas when I invoke them on my local pc. What I want to achieve is:
My JS web app sends a request with authorization header to my locally hosted Lambdas.
My Lambda accesses the claims through $context.authorizer.claims
And most importantely: The Lambda code should not be specific to my dev environment. I should be able to deploy my Lambdas to the cloud without changing the code.
Question: Is it possible to provide/inject the user claims into the context of a Lambda request on my local dev environment?