cognito-userpools-in-production

Transcript

1. ࣮ࡍʹ࢖͏ Cognito UserPools Classmethod, Inc. Yuki Tannai ࣮ફSERVERLESS #cmdevio ࣮ફserverless

   #cmdevio 1

2. ࣗݾ঺հ • ୮಺༏ل • @yuukigoodman • αʔόͰಈ͘ϓϩάϥϜͱ͔AWS ࣮ફserverless #cmdevio 2

3. Agenda • ServerlessͱCognito • Cognito User Pools • CognitoΛ࣮ࡍʹ࢖͏ͨΊʹ ࣮ફserverless

   #cmdevio 3

4. Serverlessͱ Cognito ࣮ફserverless #cmdevio 4

5. ServerlessΞʔΩςΫνϟ ͱ͸ ࣮ફserverless #cmdevio 5

6. ඇৗறܕϓϩηε ΛΠϕϯτʹΑͬͯ τϦΨʔ͢ΔΠϯϑ ϥετϥΫνϟ1 — @zerobase 1 http://qiita.com/zerobase/items/3bc0d15980b472af841d ࣮ફserverless #cmdevio

   6

7. ServerlessΞʔΩςΫνϟͱ͸ • Πϯϑϥ΍ΞϓϦͷΠϕϯτΛτϦΨʔʹ࣮ߦ ͞ΕΔඇৗறϓϩηε • ίʔυͷ࣮ߦ؀ڥ͕ϑϧϚωʔδυαʔϏεͱ ͯ͠ఏڙ͞ΕΔ • AWS Lambda͕࣮ݱํ๏ͷ୅ද֨ͱͯ͠༗໊

   ࣮ફserverless #cmdevio 7

8. serverlessͰղܾ͍ͨ͠໰୊͸ • EC2ແ͠Ͱ؆୯ͳϓϩάϥϜΛӡ༻͍ͨ͠ • ӡ༻ͷखؒ • ͓ۚͷઅ໿ • ΞϓϦέʔγϣϯ͔Βຊ࣭Ͱͳ͍ίʔυΛগͳ ͍ͨ͘͠

   LambdaҎ֎ͷΞϓϩʔν΋͋Δ ࣮ફserverless #cmdevio 8

9. Amazon Cognito ࣮ફserverless #cmdevio 9

10. Cognitoͱ͸ • ΞϓϦέʔγϣϯͷೝূɾೝՄΛαϙʔτ͢Δ ϑϧϚωʔδυαʔϏε ࣮ફserverless #cmdevio 10

11. • Cognito Identity • Federated Identity • User Pools •

    Cognito Sync • Sync Store • Cognito Events • Cognito Streams ࣮ફserverless #cmdevio 11

12. Cognito Identity • ֎෦Ͱೝূ͞ΕͨϢʔβʹରͯ͠ػೳΛఏڙ͢ Δ • Federated Identity • ֎෦ͷೝূαʔϏε͔Βͷ໊دͤ

    • ಗ໊Ϣʔβͱͯ͠ͷೝূ΋Մೳ • ෳ਺ͷIdentity ProviderΛͻͱͭͷIdentity ͱͯ͠ϚʔδͰ͖Δ ࣮ફserverless #cmdevio 12

13. • STS • AWS΁ͷΞΫηεΩʔΛ҆શʹൃߦ͢Δ • AssumeRole΍ConditionઅͳͲIAMͱͷ࿈ ܞ ࣮ફserverless #cmdevio 13

14. ࣮ફserverless #cmdevio 14

15. ࣮ફserverless #cmdevio 15

16. Cognito Sync • ϢʔβσʔλͷಉظػೳΛఏڙ • Sync Store • KVSͷΑ͏ʹ࢖͑ΔσʔλετΞ •

    SDKܦ༝ͳΒϩʔΧϧετϨʔδͱͷ࿈ܞ ΋؆୯ ࣮ફserverless #cmdevio 16

17. • Cognito Streams • SyncΠϕϯτΛड৴ͯ͠Kinesis Streamsʹ ૹ৴͢Δ • Cognito Events

    • SyncΠϕϯτΛड৴ͯ͠Lambda Function Λಉظ࣮ߦ͢Δ ࣮ફserverless #cmdevio 17

18. Cognito User Pools ࣮ફserverless #cmdevio 18

19. Cognito User Poolsͱ͸ • AWS͕ఏڙ͢ΔIdentity Provider • Ϣʔβͷొ࿥΍؅ཧɺೝূΛߦͳ͏͜ͱ͕Ͱ͖ Δ •

    Federated Identityͱ΋࿈ܞͰ͖Δ • ύεϫʔυ΍MFAɺ֬ೝϝʔϧͷૹ৴ͳͲҰൠ తͳWebαʔϏεʹඞཁͳೝূػೳΛҰ௨Γ ͍࣋ͬͯΔ ࣮ફserverless #cmdevio 19

20. ͍ͭʹGA! ࣮ફserverless #cmdevio 20

21. σϞ awslabs/aws-cognito-angular2-quickstart2 2 https://github.com/awslabs/aws-cognito-angular2-quickstart ࣮ફserverless #cmdevio 21

22. User Poolsͷػೳ ࣮ફserverless #cmdevio 22

23. Ϣʔβొ࿥ • ϢχʔΫͳϢʔβ໊Λઃఆ • ύεϫʔυೝূͱɺΦϓγϣϯͰMFAΛར༻ Մೳ • ύεϫʔυϙϦγʔΛઃఆՄೳ ࣮ફserverless #cmdevio

    23

24. ΞτϦϏϡʔτ • ࢖ΘΕΔػձ͕ଟ͍ϢʔβଐੑΛઃఆՄೳ • ΤΠϦΞεʹΑͬͯɺϩάΠϯͰ࢖༻͢Δଐੑ ΛࢦఆͰ͖Δ • ಠࣗͷΞτϦϏϡʔτΛઃఆͰ͖Δ ࣮ફserverless #cmdevio

    24

25. ϝʔϧɾSMSͷ֬ೝͱMFA • Ϣʔβొ࿥࣌ɺҰ࣌తͳೝূίʔυΛൃߦ͢Δ ͜ͱͰ༗ޮͳѼઌͰ͋Δ͜ͱΛ֬ೝ • ϝοηʔδͷςϯϓϨʔτ΋ฤूՄೳ • MFAͷઃఆ͕Մೳ ࣮ફserverless #cmdevio

    25

26. σόΠετϥοΩϯά • ಉҰϢʔβ͕ϩάΠϯঢ়ଶΛҡ࣋Ͱ͖Δ୺຤਺ ͷઃఆ • ༗ޮʹ͢ΔͱɺॳճϩάΠϯ࣌ʹೝূͱ͸ผʹ τϥοΩϯά༻్ͷτʔΫϯ͕σόΠε͝ͱʹ ൃߦ͞ΕΔ • τϥοΩϯά͕༗ޮͳ୺຤͸MFAΛεΩοϓ͢

    Δ͜ͱ΋Ͱ͖Δ ࣮ફserverless #cmdevio 26

27. σόΠετϥοΩϯά • ؅ཧऀ͸ɺSDKඇެ։ͷREST API͔ΒσόΠε ϦετΛऔಘͰ͖Δ • Global Sign-out(ಉҰϢʔβͷશ୺຤αΠϯΞ ΢τ)΍؅ཧऀݖݶͰͷαΠϯΞ΢τ΋Մೳ ࣮ફserverless

    #cmdevio 27

28. App • ඇೝূϢʔβ͕ϩάΠϯ΍ύεϫʔυ࠶ൃߦͳ ͲͷAPIΛ࣮ߦ͢ΔͨΊͷΤϯςΟςΟ • TokenͱSecretɻϒϥ΢βΞϓϦ͸SecretΛ࢖ Θͳ͍͜ͱ΋Ͱ͖Δ ࣮ફserverless #cmdevio 28

29. App • ྫ͑͹ϓϥοτϑΥʔϜ͝ͱͳͲɺෳ਺࡞੒Մ ೳ • Relying PartyͷΑ͏ͳෆಛఆͷୈࡾऀʹఏڙ͢ Δ༻్Ͱ͸࢖Θͳ͍ ࣮ફserverless #cmdevio

    29

30. Trigger • ॴఆͷΠϕϯτΛτϦΨʔʹͯ͠Lambda Functionͷ࣮ߦ͕Մೳ • ηΩϡϦςΟػೳͷΧελϚΠζ΍ɺΠϕϯτ τϥοΩϯάͳͲ༷ʑͳ֦ு͕Մೳ ࣮ફserverless #cmdevio 30

31. Cognito Identity࿈ܞ • Federated IdentityͷϓϩόΠμͱͯ͠ར༻Մ ೳ • User PoolsೝূϢʔβʹରͯ͠AWSϦιʔε΁ ͷΞΫηεݖݶΛ҆શʹൃߦͰ͖Δ

    ࣮ફserverless #cmdevio 31

32. ࣮ફserverless #cmdevio 32

33. API Gateway࿈ܞ • API GatewayͰͷೝՄͰɺUser Poolsͷೝূ৘ ใΛར༻Ͱ͖Δ • API GatewayͷϚωδϝϯτίϯιʔϧ͔Β

    User PoolΛઃఆ͢Δ ࣮ફserverless #cmdevio 33

34. ࣮ફserverless #cmdevio 34

35. CognitoΛ ࣮ࡍʹ࢖͏ͨΊʹ ࣮ફserverless #cmdevio 35

36. ϙϦγʔม਺ • CognitoʹׂΓ౰ͯΒΕΔIDʹҰக͢ΔϦιʔ εͷΈ΁ͷݖݶൃߦ • αʔόΛհ͞ͳ͍ॲཧΛ҆શʹߦ͑Δ • IAMͷConditionઅʹม਺Λهࡌ ࣮ફserverless #cmdevio

    36

37. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "dynamodb:Query" ], "Resource": [ "arn:aws:dynamodb:ap-northeast-1:<Account ID>:table/projects", "arn:aws:dynamodb:ap-northeast-1:<Account ID>:table/projects/index/*" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] } ࣮ફserverless #cmdevio 37

38. S3ͷ৔߹5 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action":

    ["s3:ListBucket"], "Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"], "Condition": {"StringLike": {"s3:prefix": ["cognito/mynumbersgame/"]}} }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}/*" ] } ] } 5 http://docs.aws.amazon.com/jajp/IAM/latest/UserGuide/accesspolicies_examples.html#iam- policy-example-cognito ࣮ફserverless #cmdevio 38

39. ͜ͷΑ͏ͳม਺͕ར༻Մೳ3 • ${cognito-identity.amazonaws.com:sub} • ${www.amazon.com:user_id} • ${accounts.google.com:sub} • ${graph.facebook.com:id} 3

    http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/specifying- conditions.html http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/ WIF.RunningYourApp.html ࣮ફserverless #cmdevio 39

40. OIDC Provider • Web/UserPoolsͷଞʹFederated Identityʹઃ ఆՄೳͳIdentity Provider • Google΍SalseforceͳͲ •

    IAMʹOIDC ProviderΛ௥Ճ͠ɺFederated Identityʹઃఆ͢Δ • SAML΋࢖͑ΔΑ͏ʹͳΓ·ͨ͠ ࣮ફserverless #cmdevio 40

41. ࣮ફserverless #cmdevio 41

42. େྔϦΫΤετ࣌ͷ੍ݶ • ʮ1 ͭͷϦετ/API ࢀরݺͼग़͠ͷ࠷େ਺ 60ʯ4 • ΞϓϦ͔Βͷݺͼग़͠ͷ੍ݶ͸ແ͍ʁ • ؒҧ͑ͯผϦʔδϣϯΛݺͼ·ͬͯͨ࣌͘

    ʹʮ੍ݶ͠ͱ͍ͨΑʯͱݴΘΕͨ 4 http://docs.aws.amazon.com/ja_jp/cognito/latest/developerguide/limits.html ࣮ફserverless #cmdevio 42

43. Trust Relationship • ͲͷTokenൃߦऀʹରͯ͠Assume RoleΛڐՄ ͢Δ͔ͷϙϦγʔ • cognitoͷ΢Οβʔυ͔ΒRoleΛ࡞ΔͱͪΌΜ ͱઃఆ͞Ε͍ͯΔ •

    ࣗ෼Ͱฤू͢ΔͱϋϚΔͷͰ஫ҙ AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity ࣮ફserverless #cmdevio 43

44. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {

    "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:aaaa-bbbb-cccc-dddd-1111-2222" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ࣮ફserverless #cmdevio 44

45. • audͰCognito Identity Pool IDΛࢦఆ • amrͰϓϩόΠμΛࢦఆ • ྫ͑͹facebookͷ৔߹ "ForAnyValue:StringLike":

    { "cognito-identity.amazonaws.com:amr": "graph.facebook.com" } ࣮ફserverless #cmdevio 45

46. ·ͱΊ ࣮ફserverless #cmdevio 46

47. • User PoolsͰೝূػೳΛAWSʹҠͤΔ • Cognito Identityͱ࿈ܞͯ͠ߋʹػೳΛAWSʹ ҠͤΔ • ࣗ෼ͷϏδωεʹԊ͏΍ΓํͰαʔόϨεʹ޲ ͔͍ͬͯ͜͏

    ࣮ફserverless #cmdevio 47

48. End ࣮ફserverless #cmdevio 48