Chapter 7. Calling functions from a client

Note



An alternative approach, not using Amazon Cognito, is to use the AWS Security Token Service

(STS) directly via the AssumeRoleWithWebIdentity or AssumeRoleWithSAML actions. This

approach isn’t described in this book and provides fewer features. My advice is to always use

Amazon Cognito instead. For example, compared with Amazon Cognito, you don’t get a unique

Identity ID that follows your users across any device. For more information on using AWS STS

directly,

see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_sampleapps.html.



7.1.1. Creating the identity pool



First, we need a Cognito identity pool to give temporary AWS credentials to our users. To create

your first identity pool, open your browser and go to https://console.aws.amazon.com/.

Perform the following steps to create the identity pool:

1. Log in with your AWS credentials and select Cognito from the Mobile Services section.

2. Choose the closest AWS region from the menu at the top right that has Amazon Cognito available

and then select “Manage Federated Identities.”

3. If the region you use for Amazon Cognito is different from the one you used for AWS Lambda,

you need to create the greetingsOnDemand function again in the new region.

4. If this isn’t the first identity pool in that region, instead of the welcome page you’ll see an

overview of the identity pools already created and can select “Create new identity pool” to proceed.

5. Use “greetings” as the identity pool name. Because you want anyone visiting the web page to call

the Lambda function, you don’t need any form of authentication, and you have to enable access to

unauthenticated identities (figure 7.2).



Figure 7.2. Creating a new Amazon Cognito identity pool for giving access to unauthenticated identities



6. Select “Create pool.”

The wizard from the web console creates two IAM roles (figure 7.3), one for authenticated

identities (required by all identity pools) and one for unauthenticated identities (because you

enabled them). You can use those roles to give access to the resources that the identities need to

use. In this example, the users need to invoke a Lambda function.



Figure 7.3. The AWS web console will guide you in creating the necessary roles for the Cognito identity pool. You must always have a

role for authenticated identities. Because you enabled access to unauthenticated identities, you’ll have two roles here.



You can expand the view on the policy document to understand what those roles will initially

enable the identities to do (figure 7.4). The initial policy documents can be considered as almost

“empty roles” because they allow only the following features:

•

•



The put event, using Amazon Mobile Analytics (a service to understand usage and

revenue for mobile and web apps, which we’re not using in this book).

The use of Amazon Cognito Sync (the part of Amazon Cognito that enables cross-device

synching of application-related user data. We’re not using these features in this book;

we’re focusing on Amazon Cognito Identity here).



Figure 7.4. You can verify the policy documents that are attached by default to the IAM roles created by the web console. You can

then add more actions and resources to those roles, depending on your application.



These two IAM roles will also be automatically configured with the necessary trust policy to be

used by this Cognito identity pool.

Typically, you’d add more capabilities in terms of actions and resources, depending on the use

case of your application. In our case, we’ll need to add to the unauthenticated role

(Cognito_greetingsUnauth_Role, if you didn’t change the default name) permissions to invoke

the greetingsOnDemand Lambda function. You’ll do that later using the AWS IAM console.

Select Allow to create those roles. You’ll land on a page that helps you use Amazon Cognito

(figure 7.5). You can select the platform you want to use—JavaScript, in this case—and see links

to download the SDK and read the documentation. Beneath that is sample code. Look at the

code in the section “Get AWS Credentials,” because you’ll need it to specify the right AWS region

and the Cognito identity pool ID in your code. You can go back to the Sample Code section of the

Cognito console to get the code.



Figure 7.5. After you create the Cognito identity pool, you can see useful information and sample code for different platforms. You

can choose JavaScript, iOS, Android, and more from the drop-down menu.



You don’t need to download the AWS JavaScript SDK to use it in a browser because you can

include it in the HTML page with a link to a standard URL. For example:





7.1.2. Giving permissions to the Lambda function



To enable access to the Lambda function by identities not authenticated in your identity pool, go

to the AWS console and select Identity & Access Management from the Security & Identity

section. Select Roles on the left, and filter the results using “greetings,” the name of the identity

pool that was used by the web console as part of the names of the roles (figure 7.6).



Figure 7.6. Use the filter in the AWS IAM console to quickly find the roles you need. Select a role to view (or edit) permissions and

trust relationships.



Next, select the role for the unauthenticated identities (Cognito_greetingsUnauth _Role if you

didn’t change the default name) to get specific information about that role (figure 7.7). If you

changed the name of the role and you don’t remember it, go into the Cognito console, select the

identity pool, and then select the option to “Edit identity pool.” The two roles (authenticated and

unauthenticated) are beneath the identity pool ID.



Figure 7.7. Selecting a role, you get specific information and the option to change the policy documents attached to the role. You can

attach a managed policy (that can be versioned and reused multiple times) or edit the default inline policy created by the web

console.



Note



When you select a role in the AWS IAM console, you can check permissions and trust

relationships. From the Access Advisor tab, you can verify when the role was used recently and

for which services. In the Permissions tab, you can attach a managed policy, which you can

version and reuse multiple times; for example, in different roles or groups.



For now, in the Inline Policies section, select Edit Policy to edit the document created

automatically by the console.



Tip



When I use multiple AWS services via the web console, I usually have multiple tabs open in my

browser (at least one for each service I’m using) so that I can quickly switch from one to the

other. For example, I have one tab for AWS Lambda, where I edit or configure the function; one

tab for AWS IAM with the role of the function; one tab for Amazon Cognito to view or edit the

identity pool; another one or two tabs with the AWS IAM roles used by the Cognito identity

pool, and so on.



Update the policy document to add the invoke action on the greetingsOnDemand function using

the code in the following listing. Replace the Lambda function ARN with the one for your

function.

Listing 7.1. Policy_Cognito_greetingsOnDemand



To use the correct Lambda function ARN, you can replace only the AWS region and your

account number. If you don’t remember it, the full ARN appears in the AWS Lambda console

when you select a function, as shown in figure 7.8. My advice is to open the Lambda console in

another tab of your browser, and cut and paste the full ARN from there.



Figure 7.8. The function ARN, which you need to identify a function as a resource in a policy, is on the top right in the AWS Lambda

console.



To check the syntax of the policy, you can use the Validate Policy button (figure 7.9). If

everything is okay, select Apply Policy to confirm your changes.



Figure 7.9. When editing a policy document in the AWS IAM Console, you can verify the syntax via the Validate Policy button before

applying your changes.



7.1.3. Creating the web page



Now everything is set on the permissions and you can prepare am HTML web page for your

users. For manageability, it’s better to put all the JavaScript client-side logic in a separate file

that’s executed by the web page as a script on loading. Create two files (index.html and

greetings.js) in the same directory on your computer and edit them with the code in listings

7.2 and 7.3, respectively.



Tip



If your web browser supports a developer mode with an error console, activate that feature now.

It’s useful for debugging and understanding what’s happening if something goes wrong. For

example, in Chrome in the View menu, you have a Developer section where you can select the

JavaScript Console. In Firefox, in the Tools menu, you have a Web Developer section where you

can enable the Web Console. In Safari, in the Advanced Preferences, you can enable the Develop

menu and then select Show Error Console there.



Listing 7.2. GreetingsOnDemand HTML page



Listing 7.3. greetings.js (JavaScript in the browser)