Skip to content

Configuring User Access with AWS Cognito

User Pool

Log into Amazon Cognito and create a user pool.

Cognito List

Create a Userpool for a Single-page application (SPA), provide a name and define the options for the login attribute and sign-up.

Cognito UP Create

Afterwards note down the User pool ID.

Cognito UP Details

Identity Pool

Next, open the Identity Pool Listing and create an identity pool.

identity pool list

Pool Trust

Select Authenticated access and Amazon Cognito user pool.

identity pool create 1

Permissions

Create a new (or an existing IAM role).

identity pool create 2

Connect Provider

Select the pool and app client ID.

identity pool create 3

Properties

Pick a name for the identity pool.

identity pool create 4

Connect Cognito to API

Gather Details

Go to the Identity Pool overview, note down the User pool ID, and click on App client in the menue.

IP details menue

The app client list shows the Client ID.

App Client List

Next, head over to the Identity pools list and note down the Identity pool ID.

IP listing

Config API

Now you got all the information to fill out the details. Click the configuration icon on the top right of you API website.

API unconfigured

As you currently do not have AWS Cognito enabled, fill out the form and confirm.

SignUp

Once AWS Cognito is enabled, you can now log out and go back to the login page:

Sign In Create Account
Create Account Create Account

Create an account. You will receive a confirmation code as a final step.

logged in

You are now logged in as a user.

Disable Self Sign Up

As experienced in prior steps, you can sign up for an account and sign in. This is likely undesireable and a security issue you wish to remove.

To prevent strangers from signing up head over to the User Pool again, and disable Self-service sign-up under the Sign-up menue.

disable sign-up

Click Edit and disable Self-registration.

Self registration

Create Bearer Token

Since Cognito is now enabled, you need a token to access the API endpoint.

Go back to the User pool Details and click on App Clients.

AC details

Click Edit and enable the first four auth methods.

AC auth

Now use the aws-cli to create a token.

aws cognito-idp admin-initiate-auth \
    --user-pool-id <poolID> \
    --client-id <clientID> \
    --auth-flow ADMIN_USER_PASSWORD_AUTH \
    --auth-parameters "USERNAME=christian.xxxx@memverge.com,PASSWORD=XYZ"

The output looks like this.

$ aws cognito-idp admin-initiate-auth     --user-pool-id ap-south-xxx     --client-id yyy     --auth-flow ADMIN_USER_PASSWORD_AUTH     --auth-parameters "USERNAME=christian.xxxx@memverge.com,PASSWORD=XYZ"
{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "TOKEN1",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "TOKEN2",
        "IdToken": "TOKEN3"
    }
}

Now, you are able to access the API server via curl again.

curl -sX GET http://127.0.0.1:8080/api/v1/config -H "Content-Type: application/json" \
  -H "Authorization: bearer TOKEN1"|jq .

And strangers can no longer sign up and access MMBatch's Management Server.