cognito-userpools-in-production

by tannai

Slide 1

Slide 1 text

࣮ࡍʹ࢖͏ Cognito UserPools Classmethod, Inc. Yuki Tannai ࣮ફSERVERLESS #cmdevio ࣮ફserverless #cmdevio 1

Slide 2

Slide 2 text

ࣗݾ঺հ • ୮಺༏ل • @yuukigoodman • αʔόͰಈ͘ϓϩάϥϜͱ͔AWS ࣮ફserverless #cmdevio 2

Slide 3

Slide 3 text

Agenda • ServerlessͱCognito • Cognito User Pools • CognitoΛ࣮ࡍʹ࢖͏ͨΊʹ ࣮ફserverless #cmdevio 3

Slide 4

Slide 4 text

Serverlessͱ Cognito ࣮ફserverless #cmdevio 4

Slide 5

Slide 5 text

ServerlessΞʔΩςΫνϟ ͱ͸ ࣮ફserverless #cmdevio 5

Slide 6

Slide 6 text

ඇৗறܕϓϩηε ΛΠϕϯτʹΑͬͯ τϦΨʔ͢ΔΠϯϑ ϥετϥΫνϟ1 — @zerobase 1 http://qiita.com/zerobase/items/3bc0d15980b472af841d ࣮ફserverless #cmdevio 6

Slide 7

Slide 7 text

ServerlessΞʔΩςΫνϟͱ͸ • Πϯϑϥ΍ΞϓϦͷΠϕϯτΛτϦΨʔʹ࣮ߦ ͞ΕΔඇৗறϓϩηε • ίʔυͷ࣮ߦ؀ڥ͕ϑϧϚωʔδυαʔϏεͱ ͯ͠ఏڙ͞ΕΔ • AWS Lambda͕࣮ݱํ๏ͷ୅ද֨ͱͯ͠༗໊ ࣮ફserverless #cmdevio 7

Slide 8

Slide 8 text

serverlessͰղܾ͍ͨ͠໰୊͸ • EC2ແ͠Ͱ؆୯ͳϓϩάϥϜΛӡ༻͍ͨ͠ • ӡ༻ͷखؒ • ͓ۚͷઅ໿ • ΞϓϦέʔγϣϯ͔Βຊ࣭Ͱͳ͍ίʔυΛগͳ ͍ͨ͘͠ LambdaҎ֎ͷΞϓϩʔν΋͋Δ ࣮ફserverless #cmdevio 8

Slide 9

Slide 9 text

Amazon Cognito ࣮ફserverless #cmdevio 9

Slide 10

Slide 10 text

Cognitoͱ͸ • ΞϓϦέʔγϣϯͷೝূɾೝՄΛαϙʔτ͢Δ ϑϧϚωʔδυαʔϏε ࣮ફserverless #cmdevio 10

Slide 11

Slide 11 text

• Cognito Identity • Federated Identity • User Pools • Cognito Sync • Sync Store • Cognito Events • Cognito Streams ࣮ફserverless #cmdevio 11

Slide 12

Slide 12 text

Cognito Identity • ֎෦Ͱೝূ͞ΕͨϢʔβʹରͯ͠ػೳΛఏڙ͢ Δ • Federated Identity • ֎෦ͷೝূαʔϏε͔Βͷ໊دͤ • ಗ໊Ϣʔβͱͯ͠ͷೝূ΋Մೳ • ෳ਺ͷIdentity ProviderΛͻͱͭͷIdentity ͱͯ͠ϚʔδͰ͖Δ ࣮ફserverless #cmdevio 12

Slide 13

Slide 13 text

• STS • AWS΁ͷΞΫηεΩʔΛ҆શʹൃߦ͢Δ • AssumeRole΍ConditionઅͳͲIAMͱͷ࿈ ܞ ࣮ફserverless #cmdevio 13

Slide 14

Slide 14 text

࣮ફserverless #cmdevio 14

Slide 15

Slide 15 text

࣮ફserverless #cmdevio 15

Slide 16

Slide 16 text

Cognito Sync • ϢʔβσʔλͷಉظػೳΛఏڙ • Sync Store • KVSͷΑ͏ʹ࢖͑ΔσʔλετΞ • SDKܦ༝ͳΒϩʔΧϧετϨʔδͱͷ࿈ܞ ΋؆୯ ࣮ફserverless #cmdevio 16

Slide 17

Slide 17 text

• Cognito Streams • SyncΠϕϯτΛड৴ͯ͠Kinesis Streamsʹ ૹ৴͢Δ • Cognito Events • SyncΠϕϯτΛड৴ͯ͠Lambda Function Λಉظ࣮ߦ͢Δ ࣮ફserverless #cmdevio 17

Slide 18

Slide 18 text

Cognito User Pools ࣮ફserverless #cmdevio 18

Slide 19

Slide 19 text

Cognito User Poolsͱ͸ • AWS͕ఏڙ͢ΔIdentity Provider • Ϣʔβͷొ࿥΍؅ཧɺೝূΛߦͳ͏͜ͱ͕Ͱ͖ Δ • Federated Identityͱ΋࿈ܞͰ͖Δ • ύεϫʔυ΍MFAɺ֬ೝϝʔϧͷૹ৴ͳͲҰൠ తͳWebαʔϏεʹඞཁͳೝূػೳΛҰ௨Γ ͍࣋ͬͯΔ ࣮ફserverless #cmdevio 19

Slide 20

Slide 20 text

͍ͭʹGA! ࣮ફserverless #cmdevio 20

Slide 21

Slide 21 text

σϞ awslabs/aws-cognito-angular2-quickstart2 2 https://github.com/awslabs/aws-cognito-angular2-quickstart ࣮ફserverless #cmdevio 21

Slide 22

Slide 22 text

User Poolsͷػೳ ࣮ફserverless #cmdevio 22

Slide 23

Slide 23 text

Ϣʔβొ࿥ • ϢχʔΫͳϢʔβ໊Λઃఆ • ύεϫʔυೝূͱɺΦϓγϣϯͰMFAΛར༻ Մೳ • ύεϫʔυϙϦγʔΛઃఆՄೳ ࣮ફserverless #cmdevio 23

Slide 24

Slide 24 text

ΞτϦϏϡʔτ • ࢖ΘΕΔػձ͕ଟ͍ϢʔβଐੑΛઃఆՄೳ • ΤΠϦΞεʹΑͬͯɺϩάΠϯͰ࢖༻͢Δଐੑ ΛࢦఆͰ͖Δ • ಠࣗͷΞτϦϏϡʔτΛઃఆͰ͖Δ ࣮ફserverless #cmdevio 24

Slide 25

Slide 25 text

ϝʔϧɾSMSͷ֬ೝͱMFA • Ϣʔβొ࿥࣌ɺҰ࣌తͳೝূίʔυΛൃߦ͢Δ ͜ͱͰ༗ޮͳѼઌͰ͋Δ͜ͱΛ֬ೝ • ϝοηʔδͷςϯϓϨʔτ΋ฤूՄೳ • MFAͷઃఆ͕Մೳ ࣮ફserverless #cmdevio 25

Slide 26

Slide 26 text

σόΠετϥοΩϯά • ಉҰϢʔβ͕ϩάΠϯঢ়ଶΛҡ࣋Ͱ͖Δ୺຤਺ ͷઃఆ • ༗ޮʹ͢ΔͱɺॳճϩάΠϯ࣌ʹೝূͱ͸ผʹ τϥοΩϯά༻్ͷτʔΫϯ͕σόΠε͝ͱʹ ൃߦ͞ΕΔ • τϥοΩϯά͕༗ޮͳ୺຤͸MFAΛεΩοϓ͢ Δ͜ͱ΋Ͱ͖Δ ࣮ફserverless #cmdevio 26

Slide 27

Slide 27 text

σόΠετϥοΩϯά • ؅ཧऀ͸ɺSDKඇެ։ͷREST API͔ΒσόΠε ϦετΛऔಘͰ͖Δ • Global Sign-out(ಉҰϢʔβͷશ୺຤αΠϯΞ ΢τ)΍؅ཧऀݖݶͰͷαΠϯΞ΢τ΋Մೳ ࣮ફserverless #cmdevio 27

Slide 28

Slide 28 text

App • ඇೝূϢʔβ͕ϩάΠϯ΍ύεϫʔυ࠶ൃߦͳ ͲͷAPIΛ࣮ߦ͢ΔͨΊͷΤϯςΟςΟ • TokenͱSecretɻϒϥ΢βΞϓϦ͸SecretΛ࢖ Θͳ͍͜ͱ΋Ͱ͖Δ ࣮ફserverless #cmdevio 28

Slide 29

Slide 29 text

App • ྫ͑͹ϓϥοτϑΥʔϜ͝ͱͳͲɺෳ਺࡞੒Մ ೳ • Relying PartyͷΑ͏ͳෆಛఆͷୈࡾऀʹఏڙ͢ Δ༻్Ͱ͸࢖Θͳ͍ ࣮ફserverless #cmdevio 29

Slide 30

Slide 30 text

Trigger • ॴఆͷΠϕϯτΛτϦΨʔʹͯ͠Lambda Functionͷ࣮ߦ͕Մೳ • ηΩϡϦςΟػೳͷΧελϚΠζ΍ɺΠϕϯτ τϥοΩϯάͳͲ༷ʑͳ֦ு͕Մೳ ࣮ફserverless #cmdevio 30

Slide 31

Slide 31 text

Cognito Identity࿈ܞ • Federated IdentityͷϓϩόΠμͱͯ͠ར༻Մ ೳ • User PoolsೝূϢʔβʹରͯ͠AWSϦιʔε΁ ͷΞΫηεݖݶΛ҆શʹൃߦͰ͖Δ ࣮ફserverless #cmdevio 31

Slide 32

Slide 32 text

࣮ફserverless #cmdevio 32

Slide 33

Slide 33 text

API Gateway࿈ܞ • API GatewayͰͷೝՄͰɺUser Poolsͷೝূ৘ ใΛར༻Ͱ͖Δ • API GatewayͷϚωδϝϯτίϯιʔϧ͔Β User PoolΛઃఆ͢Δ ࣮ફserverless #cmdevio 33

Slide 34

Slide 34 text

࣮ફserverless #cmdevio 34

Slide 35

Slide 35 text

CognitoΛ ࣮ࡍʹ࢖͏ͨΊʹ ࣮ફserverless #cmdevio 35

Slide 36

Slide 36 text

ϙϦγʔม਺ • CognitoʹׂΓ౰ͯΒΕΔIDʹҰக͢ΔϦιʔ εͷΈ΁ͷݖݶൃߦ • αʔόΛհ͞ͳ͍ॲཧΛ҆શʹߦ͑Δ • IAMͷConditionઅʹม਺Λهࡌ ࣮ફserverless #cmdevio 36

Slide 37

Slide 37 text

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:Query" ], "Resource": [ "arn:aws:dynamodb:ap-northeast-1::table/projects", "arn:aws:dynamodb:ap-northeast-1::table/projects/index/*" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] } ࣮ફserverless #cmdevio 37

Slide 38

Slide 38 text

S3ͷ৔߹5 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"], "Condition": {"StringLike": {"s3:prefix": ["cognito/mynumbersgame/"]}} }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}/*" ] } ] } 5 http://docs.aws.amazon.com/jajp/IAM/latest/UserGuide/accesspolicies_examples.html#iam- policy-example-cognito ࣮ફserverless #cmdevio 38

Slide 39

Slide 39 text

͜ͷΑ͏ͳม਺͕ར༻Մೳ3 • ${cognito-identity.amazonaws.com:sub} • ${www.amazon.com:user_id} • ${accounts.google.com:sub} • ${graph.facebook.com:id} 3 http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/specifying- conditions.html http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/ WIF.RunningYourApp.html ࣮ફserverless #cmdevio 39

Slide 40

Slide 40 text

OIDC Provider • Web/UserPoolsͷଞʹFederated Identityʹઃ ఆՄೳͳIdentity Provider • Google΍SalseforceͳͲ • IAMʹOIDC ProviderΛ௥Ճ͠ɺFederated Identityʹઃఆ͢Δ • SAML΋࢖͑ΔΑ͏ʹͳΓ·ͨ͠ ࣮ફserverless #cmdevio 40

Slide 41

Slide 41 text

࣮ફserverless #cmdevio 41

Slide 42

Slide 42 text

େྔϦΫΤετ࣌ͷ੍ݶ • ʮ1 ͭͷϦετ/API ࢀরݺͼग़͠ͷ࠷େ਺ 60ʯ4 • ΞϓϦ͔Βͷݺͼग़͠ͷ੍ݶ͸ແ͍ʁ • ؒҧ͑ͯผϦʔδϣϯΛݺͼ·ͬͯͨ࣌͘ ʹʮ੍ݶ͠ͱ͍ͨΑʯͱݴΘΕͨ 4 http://docs.aws.amazon.com/ja_jp/cognito/latest/developerguide/limits.html ࣮ફserverless #cmdevio 42

Slide 43

Slide 43 text

Trust Relationship • ͲͷTokenൃߦऀʹରͯ͠Assume RoleΛڐՄ ͢Δ͔ͷϙϦγʔ • cognitoͷ΢Οβʔυ͔ΒRoleΛ࡞ΔͱͪΌΜ ͱઃఆ͞Ε͍ͯΔ • ࣗ෼Ͱฤू͢ΔͱϋϚΔͷͰ஫ҙ AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity ࣮ફserverless #cmdevio 43

Slide 44

Slide 44 text

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:aaaa-bbbb-cccc-dddd-1111-2222" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ࣮ફserverless #cmdevio 44

Slide 45

Slide 45 text

• audͰCognito Identity Pool IDΛࢦఆ • amrͰϓϩόΠμΛࢦఆ • ྫ͑͹facebookͷ৔߹ "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "graph.facebook.com" } ࣮ફserverless #cmdevio 45

Slide 46

Slide 46 text

·ͱΊ ࣮ફserverless #cmdevio 46

Slide 47

Slide 47 text

• User PoolsͰೝূػೳΛAWSʹҠͤΔ • Cognito Identityͱ࿈ܞͯ͠ߋʹػೳΛAWSʹ ҠͤΔ • ࣗ෼ͷϏδωεʹԊ͏΍ΓํͰαʔόϨεʹ޲ ͔͍ͬͯ͜͏ ࣮ફserverless #cmdevio 47

Slide 48

Slide 48 text

End ࣮ફserverless #cmdevio 48