Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (9.79 MB, 388 trang )
Note
An alternative approach, not using Amazon Cognito, is to use the AWS Security Token Service
(STS) directly via the AssumeRoleWithWebIdentity or AssumeRoleWithSAML actions. This
approach isn’t described in this book and provides fewer features. My advice is to always use
Amazon Cognito instead. For example, compared with Amazon Cognito, you don’t get a unique
Identity ID that follows your users across any device. For more information on using AWS STS
directly,
see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_sampleapps.html.
7.1.1. Creating the identity pool
First, we need a Cognito identity pool to give temporary AWS credentials to our users. To create
your first identity pool, open your browser and go to https://console.aws.amazon.com/.
Perform the following steps to create the identity pool:
1. Log in with your AWS credentials and select Cognito from the Mobile Services section.
2. Choose the closest AWS region from the menu at the top right that has Amazon Cognito available
and then select “Manage Federated Identities.”
3. If the region you use for Amazon Cognito is different from the one you used for AWS Lambda,
you need to create the greetingsOnDemand function again in the new region.
4. If this isn’t the first identity pool in that region, instead of the welcome page you’ll see an
overview of the identity pools already created and can select “Create new identity pool” to proceed.
5. Use “greetings” as the identity pool name. Because you want anyone visiting the web page to call
the Lambda function, you don’t need any form of authentication, and you have to enable access to
unauthenticated identities (figure 7.2).
Figure 7.2. Creating a new Amazon Cognito identity pool for giving access to unauthenticated identities
6. Select “Create pool.”
The wizard from the web console creates two IAM roles (figure 7.3), one for authenticated
identities (required by all identity pools) and one for unauthenticated identities (because you
enabled them). You can use those roles to give access to the resources that the identities need to
use. In this example, the users need to invoke a Lambda function.
Figure 7.3. The AWS web console will guide you in creating the necessary roles for the Cognito identity pool. You must always have a
role for authenticated identities. Because you enabled access to unauthenticated identities, you’ll have two roles here.
You can expand the view on the policy document to understand what those roles will initially
enable the identities to do (figure 7.4). The initial policy documents can be considered as almost
“empty roles” because they allow only the following features:
•
•
The put event, using Amazon Mobile Analytics (a service to understand usage and
revenue for mobile and web apps, which we’re not using in this book).
The use of Amazon Cognito Sync (the part of Amazon Cognito that enables cross-device
synching of application-related user data. We’re not using these features in this book;
we’re focusing on Amazon Cognito Identity here).
Figure 7.4. You can verify the policy documents that are attached by default to the IAM roles created by the web console. You can
then add more actions and resources to those roles, depending on your application.
These two IAM roles will also be automatically configured with the necessary trust policy to be
used by this Cognito identity pool.
Typically, you’d add more capabilities in terms of actions and resources, depending on the use
case of your application. In our case, we’ll need to add to the unauthenticated role
(Cognito_greetingsUnauth_Role, if you didn’t change the default name) permissions to invoke
the greetingsOnDemand Lambda function. You’ll do that later using the AWS IAM console.
Select Allow to create those roles. You’ll land on a page that helps you use Amazon Cognito
(figure 7.5). You can select the platform you want to use—JavaScript, in this case—and see links
to download the SDK and read the documentation. Beneath that is sample code. Look at the
code in the section “Get AWS Credentials,” because you’ll need it to specify the right AWS region
and the Cognito identity pool ID in your code. You can go back to the Sample Code section of the
Cognito console to get the code.
Figure 7.5. After you create the Cognito identity pool, you can see useful information and sample code for different platforms. You
can choose JavaScript, iOS, Android, and more from the drop-down menu.
You don’t need to download the AWS JavaScript SDK to use it in a browser because you can
include it in the HTML page with a link to a standard URL. For example:
7.1.2. Giving permissions to the Lambda function
To enable access to the Lambda function by identities not authenticated in your identity pool, go
to the AWS console and select Identity & Access Management from the Security & Identity
section. Select Roles on the left, and filter the results using “greetings,” the name of the identity
pool that was used by the web console as part of the names of the roles (figure 7.6).
Figure 7.6. Use the filter in the AWS IAM console to quickly find the roles you need. Select a role to view (or edit) permissions and
trust relationships.
Next, select the role for the unauthenticated identities (Cognito_greetingsUnauth _Role if you
didn’t change the default name) to get specific information about that role (figure 7.7). If you
changed the name of the role and you don’t remember it, go into the Cognito console, select the
identity pool, and then select the option to “Edit identity pool.” The two roles (authenticated and
unauthenticated) are beneath the identity pool ID.
Figure 7.7. Selecting a role, you get specific information and the option to change the policy documents attached to the role. You can
attach a managed policy (that can be versioned and reused multiple times) or edit the default inline policy created by the web
console.
Note
When you select a role in the AWS IAM console, you can check permissions and trust
relationships. From the Access Advisor tab, you can verify when the role was used recently and
for which services. In the Permissions tab, you can attach a managed policy, which you can
version and reuse multiple times; for example, in different roles or groups.
For now, in the Inline Policies section, select Edit Policy to edit the document created
automatically by the console.
Tip
When I use multiple AWS services via the web console, I usually have multiple tabs open in my
browser (at least one for each service I’m using) so that I can quickly switch from one to the
other. For example, I have one tab for AWS Lambda, where I edit or configure the function; one
tab for AWS IAM with the role of the function; one tab for Amazon Cognito to view or edit the
identity pool; another one or two tabs with the AWS IAM roles used by the Cognito identity
pool, and so on.
Update the policy document to add the invoke action on the greetingsOnDemand function using
the code in the following listing. Replace the Lambda function ARN with the one for your
function.
Listing 7.1. Policy_Cognito_greetingsOnDemand
To use the correct Lambda function ARN, you can replace only the AWS region and your
account number. If you don’t remember it, the full ARN appears in the AWS Lambda console
when you select a function, as shown in figure 7.8. My advice is to open the Lambda console in
another tab of your browser, and cut and paste the full ARN from there.
Figure 7.8. The function ARN, which you need to identify a function as a resource in a policy, is on the top right in the AWS Lambda
console.
To check the syntax of the policy, you can use the Validate Policy button (figure 7.9). If
everything is okay, select Apply Policy to confirm your changes.
Figure 7.9. When editing a policy document in the AWS IAM Console, you can verify the syntax via the Validate Policy button before
applying your changes.
7.1.3. Creating the web page
Now everything is set on the permissions and you can prepare am HTML web page for your
users. For manageability, it’s better to put all the JavaScript client-side logic in a separate file
that’s executed by the web page as a script on loading. Create two files (index.html and
greetings.js) in the same directory on your computer and edit them with the code in listings
7.2 and 7.3, respectively.
Tip
If your web browser supports a developer mode with an error console, activate that feature now.
It’s useful for debugging and understanding what’s happening if something goes wrong. For
example, in Chrome in the View menu, you have a Developer section where you can select the
JavaScript Console. In Firefox, in the Tools menu, you have a Web Developer section where you
can enable the Web Console. In Safari, in the Advanced Preferences, you can enable the Develop
menu and then select Show Error Console there.
Listing 7.2. GreetingsOnDemand HTML page
Listing 7.3. greetings.js (JavaScript in the browser)