Amazon Cognito + Lambda + S3 + IAM
3 likes937 views
The document discusses the implementation of granting access to downloadable paid resources on a mobile app using AWS services like Cognito, Lambda, IAM, and S3. It details steps for managing user authentication and permissions, including the use of signed URLs and IAM policies to restrict access to specific content based on the user's identity. Additionally, it outlines the process to synchronize user data and update access permissions dynamically via Lambda functions.
![Granting access to
downloadable [paid]
resources in mobile app
using AWS Cognito + Lambda + IAM + S3](https://image.slidesharecdn.com/amazons3cognitolambda-150902202108-lva1-app6892/85/Amazon-Cognito-Lambda-S3-IAM-1-320.jpg)
![Amazon IAM policy
'{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::zequest*"],
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:sub": ["us-east-1:3abb829b-82c1-4ac5-85fa-4dc566c6acfb"]
}
}
}
]
}'
Content access is granted through Resource section
User is identified with Cognito IdentityId](https://image.slidesharecdn.com/amazons3cognitolambda-150902202108-lva1-app6892/85/Amazon-Cognito-Lambda-S3-IAM-5-320.jpg)
Amazon Cognito + Lambda + S3 + IAM
- 1. Granting access to downloadable [paid] resources in mobile app using AWS Cognito + Lambda + IAM + S3
- 2. Goal ● we have paid downloadable content (in the form of JSON files on Amazon S3) ● we need to give access to content from mobile application to specific users
- 3. Options ● Using signed URLs in Amazon S3 ● Managing access with custom developed backend or ● Amazon Cognitor + Lambda + IAM + S3
- 4. Granting access to Quest ● each Quest is saved as Amazon S3 object in JSON format ● Objects are not accessible publicly ● When user buys or open Quest in application, we need to update Amazon IAM Role policy
- 5. Amazon IAM policy '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": ["arn:aws:s3:::zequest*"], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:sub": ["us-east-1:3abb829b-82c1-4ac5-85fa-4dc566c6acfb"] } } } ] }' Content access is granted through Resource section User is identified with Cognito IdentityId
- 6. 1. User can be non- authenticated until “Go to quest” phase 2. Non-authenticated user is proposed to authenticate with Facebook/Twitter/Google+ 3. Every user gets Cognito IdentityId (used in IAM policies)
- 7. 1. User select content and click “Download” (running man icon on image) 2. Depending on content type (in-app purchase or free) user passes (or skip) payment phase
- 8. Update Amazon Cognito dataset AWS.config.region = 'us-east-1'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:123123123123123123123', }); AWS.config.credentials.get(function() { var syncClient = new AWS.CognitoSyncManager(); syncClient.openOrCreateDataset('quests', function(err, dataset) { dataset.put('123456789', 'yourJSONValueForQuestData', function(err, record){ dataset.synchronize({ onSuccess: function(data, newRecords) { console.log("successful"); } }); }); }); }); https://gist.github.com/werdan/3d8b7ad34cf60649a074 NB! Synchronization is done only if there are changes in dataset
- 9. Amazon Cognito - Lambda events ● on Cognito dataset synchronization you can launch Amazon Lambda function ● This function, using AWS IAM API, updates Policy for authenticated user (using Cognito IdentityId) ● Amazon Lambda event handling is synchronous
- 10. Amazon Lambda pseudo-code ● get Cognito IdentityId ● get current policy for this user ● update policy with access to new Amazon S3 object
- 11. Amazon Lambda example var AWS = require('aws-sdk'); var iam = new AWS.IAM(); var params = { RoleName: 'Cognito_ZeQuestAuth_Role', PolicyDocument: JSON.stringify(policy), PolicyName: "us-east-1@3abb829b-82c1-4ac5-85fa-4dc56612313213" }; iam.putRolePolicy(params, function(err, data) { if (err) console.log(err, err.stack); else console.log(data); });