Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
cognito-userpools-in-production
Search
tannai
August 02, 2016
Technology
8.9k
4
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
cognito-userpools-in-production
http://classmethod.connpass.com/event/35523/
#cmdevio
tannai
August 02, 2016
More Decks by tannai
See All by tannai
redash patche at dmm
yuukigoodman
0
760
akibago-2018-10-30
yuukigoodman
0
85
serverless-design-and-streaming-date-processing-service
yuukigoodman
0
1k
alexa-changes-development-process
yuukigoodman
0
1.7k
VUIとAlexaによるちょっと未来の体験の話2
yuukigoodman
0
920
regrowth2016alexa
yuukigoodman
0
1.3k
Rails App Deployment with CodeDeploy
yuukigoodman
0
1.6k
aws-lambda-in-practice
yuukigoodman
2
2.1k
serverless-from-today
yuukigoodman
2
2.2k
Other Decks in Technology
See All in Technology
NDIAS CTF 2026 問題解説会資料
bata_24
0
180
Foxgloveについて 実際にExtensionを開発して公開するまでの話 / About Foxglove: The Story of Developing and Releasing an Extension
ry0_ka
0
190
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
4
4.6k
はじめてのWDM
miyukichi_ospf
1
130
AI駆動開発におけるQAエンジニアの役割事例 〜AI駆動開発の現場から〜
kobayashiyorimitsu
0
420
“ID沼入口” - 基本とセキュリティから始める、考え続けるためのID管理技術勉強会 告知&イントロ
ritou
0
450
『AIに負けない』より『AIと遊ぶ』」〜ワクワクが最強のテスト・QA学習戦略_公開用
odan611
2
540
実装だけじゃない! CCA-F取得エンジニアが教えるClaude Code開発プロセス活用術
diggymo
2
480
ローカルLLMとLINE Botの組み合わせ その3 / LINE DC Generative AI Meetup #8
you
PRO
0
130
なぜ私たちのSREプラクティスはなかなか機能しないのか 〜システムより先に組織を見る〜 / Why our SRE practices aren't really working
vtryo
3
3k
脱金融のフューチャー・デザイン / Future Design Beyond Finance
ks91
PRO
0
140
ゼロをイチにする仕事が終わったあと
smasato
0
320
Featured
See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
Designing Powerful Visuals for Engaging Learning
tmiket
1
440
Testing 201, or: Great Expectations
jmmastey
46
8.2k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.5k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
370
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2.1k
RailsConf 2023
tenderlove
30
1.5k
Code Reviewing Like a Champion
maltzj
528
40k
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.8k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
123
22k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
270
Transcript
࣮ࡍʹ͏ Cognito UserPools Classmethod, Inc. Yuki Tannai ࣮ફSERVERLESS #cmdevio ࣮ફserverless
#cmdevio 1
ࣗݾհ • ୮༏ل • @yuukigoodman • αʔόͰಈ͘ϓϩάϥϜͱ͔AWS ࣮ફserverless #cmdevio 2
Agenda • ServerlessͱCognito • Cognito User Pools • CognitoΛ࣮ࡍʹ͏ͨΊʹ ࣮ફserverless
#cmdevio 3
Serverlessͱ Cognito ࣮ફserverless #cmdevio 4
ServerlessΞʔΩςΫνϟ ͱ ࣮ફserverless #cmdevio 5
ඇৗறܕϓϩηε ΛΠϕϯτʹΑͬͯ τϦΨʔ͢ΔΠϯϑ ϥετϥΫνϟ1 — @zerobase 1 http://qiita.com/zerobase/items/3bc0d15980b472af841d ࣮ફserverless #cmdevio
6
ServerlessΞʔΩςΫνϟͱ • ΠϯϑϥΞϓϦͷΠϕϯτΛτϦΨʔʹ࣮ߦ ͞ΕΔඇৗறϓϩηε • ίʔυͷ࣮ߦڥ͕ϑϧϚωʔδυαʔϏεͱ ͯ͠ఏڙ͞ΕΔ • AWS Lambda͕࣮ݱํ๏ͷද֨ͱͯ͠༗໊
࣮ફserverless #cmdevio 7
serverlessͰղܾ͍ͨ͠ • EC2ແ͠Ͱ؆୯ͳϓϩάϥϜΛӡ༻͍ͨ͠ • ӡ༻ͷखؒ • ͓ۚͷઅ • ΞϓϦέʔγϣϯ͔Βຊ࣭Ͱͳ͍ίʔυΛগͳ ͍ͨ͘͠
LambdaҎ֎ͷΞϓϩʔν͋Δ ࣮ફserverless #cmdevio 8
Amazon Cognito ࣮ફserverless #cmdevio 9
Cognitoͱ • ΞϓϦέʔγϣϯͷೝূɾೝՄΛαϙʔτ͢Δ ϑϧϚωʔδυαʔϏε ࣮ફserverless #cmdevio 10
• Cognito Identity • Federated Identity • User Pools •
Cognito Sync • Sync Store • Cognito Events • Cognito Streams ࣮ફserverless #cmdevio 11
Cognito Identity • ֎෦Ͱೝূ͞ΕͨϢʔβʹରͯ͠ػೳΛఏڙ͢ Δ • Federated Identity • ֎෦ͷೝূαʔϏε͔Βͷ໊دͤ
• ಗ໊Ϣʔβͱͯ͠ͷೝূՄೳ • ෳͷIdentity ProviderΛͻͱͭͷIdentity ͱͯ͠ϚʔδͰ͖Δ ࣮ફserverless #cmdevio 12
• STS • AWSͷΞΫηεΩʔΛ҆શʹൃߦ͢Δ • AssumeRoleConditionઅͳͲIAMͱͷ࿈ ܞ ࣮ફserverless #cmdevio 13
࣮ફserverless #cmdevio 14
࣮ફserverless #cmdevio 15
Cognito Sync • ϢʔβσʔλͷಉظػೳΛఏڙ • Sync Store • KVSͷΑ͏ʹ͑ΔσʔλετΞ •
SDKܦ༝ͳΒϩʔΧϧετϨʔδͱͷ࿈ܞ ؆୯ ࣮ફserverless #cmdevio 16
• Cognito Streams • SyncΠϕϯτΛड৴ͯ͠Kinesis Streamsʹ ૹ৴͢Δ • Cognito Events
• SyncΠϕϯτΛड৴ͯ͠Lambda Function Λಉظ࣮ߦ͢Δ ࣮ફserverless #cmdevio 17
Cognito User Pools ࣮ફserverless #cmdevio 18
Cognito User Poolsͱ • AWS͕ఏڙ͢ΔIdentity Provider • ϢʔβͷొཧɺೝূΛߦͳ͏͜ͱ͕Ͱ͖ Δ •
Federated Identityͱ࿈ܞͰ͖Δ • ύεϫʔυMFAɺ֬ೝϝʔϧͷૹ৴ͳͲҰൠ తͳWebαʔϏεʹඞཁͳೝূػೳΛҰ௨Γ ͍࣋ͬͯΔ ࣮ફserverless #cmdevio 19
͍ͭʹGA! ࣮ફserverless #cmdevio 20
σϞ awslabs/aws-cognito-angular2-quickstart2 2 https://github.com/awslabs/aws-cognito-angular2-quickstart ࣮ફserverless #cmdevio 21
User Poolsͷػೳ ࣮ફserverless #cmdevio 22
Ϣʔβొ • ϢχʔΫͳϢʔβ໊Λઃఆ • ύεϫʔυೝূͱɺΦϓγϣϯͰMFAΛར༻ Մೳ • ύεϫʔυϙϦγʔΛઃఆՄೳ ࣮ફserverless #cmdevio
23
ΞτϦϏϡʔτ • ΘΕΔػձ͕ଟ͍ϢʔβଐੑΛઃఆՄೳ • ΤΠϦΞεʹΑͬͯɺϩάΠϯͰ༻͢Δଐੑ ΛࢦఆͰ͖Δ • ಠࣗͷΞτϦϏϡʔτΛઃఆͰ͖Δ ࣮ફserverless #cmdevio
24
ϝʔϧɾSMSͷ֬ೝͱMFA • Ϣʔβొ࣌ɺҰ࣌తͳೝূίʔυΛൃߦ͢Δ ͜ͱͰ༗ޮͳѼઌͰ͋Δ͜ͱΛ֬ೝ • ϝοηʔδͷςϯϓϨʔτฤूՄೳ • MFAͷઃఆ͕Մೳ ࣮ફserverless #cmdevio
25
σόΠετϥοΩϯά • ಉҰϢʔβ͕ϩάΠϯঢ়ଶΛҡ࣋Ͱ͖Δ ͷઃఆ • ༗ޮʹ͢ΔͱɺॳճϩάΠϯ࣌ʹೝূͱผʹ τϥοΩϯά༻్ͷτʔΫϯ͕σόΠε͝ͱʹ ൃߦ͞ΕΔ • τϥοΩϯά͕༗ޮͳMFAΛεΩοϓ͢
Δ͜ͱͰ͖Δ ࣮ફserverless #cmdevio 26
σόΠετϥοΩϯά • ཧऀɺSDKඇެ։ͷREST API͔ΒσόΠε ϦετΛऔಘͰ͖Δ • Global Sign-out(ಉҰϢʔβͷશαΠϯΞ τ)ཧऀݖݶͰͷαΠϯΞτՄೳ ࣮ફserverless
#cmdevio 27
App • ඇೝূϢʔβ͕ϩάΠϯύεϫʔυ࠶ൃߦͳ ͲͷAPIΛ࣮ߦ͢ΔͨΊͷΤϯςΟςΟ • TokenͱSecretɻϒϥβΞϓϦSecretΛ Θͳ͍͜ͱͰ͖Δ ࣮ફserverless #cmdevio 28
App • ྫ͑ϓϥοτϑΥʔϜ͝ͱͳͲɺෳ࡞Մ ೳ • Relying PartyͷΑ͏ͳෆಛఆͷୈࡾऀʹఏڙ͢ Δ༻్ͰΘͳ͍ ࣮ફserverless #cmdevio
29
Trigger • ॴఆͷΠϕϯτΛτϦΨʔʹͯ͠Lambda Functionͷ࣮ߦ͕Մೳ • ηΩϡϦςΟػೳͷΧελϚΠζɺΠϕϯτ τϥοΩϯάͳͲ༷ʑͳ֦ு͕Մೳ ࣮ફserverless #cmdevio 30
Cognito Identity࿈ܞ • Federated IdentityͷϓϩόΠμͱͯ͠ར༻Մ ೳ • User PoolsೝূϢʔβʹରͯ͠AWSϦιʔε ͷΞΫηεݖݶΛ҆શʹൃߦͰ͖Δ
࣮ફserverless #cmdevio 31
࣮ફserverless #cmdevio 32
API Gateway࿈ܞ • API GatewayͰͷೝՄͰɺUser Poolsͷೝূ ใΛར༻Ͱ͖Δ • API GatewayͷϚωδϝϯτίϯιʔϧ͔Β
User PoolΛઃఆ͢Δ ࣮ફserverless #cmdevio 33
࣮ફserverless #cmdevio 34
CognitoΛ ࣮ࡍʹ͏ͨΊʹ ࣮ફserverless #cmdevio 35
ϙϦγʔม • CognitoʹׂΓͯΒΕΔIDʹҰக͢ΔϦιʔ εͷΈͷݖݶൃߦ • αʔόΛհ͞ͳ͍ॲཧΛ҆શʹߦ͑Δ • IAMͷConditionઅʹมΛهࡌ ࣮ફserverless #cmdevio
36
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [
"dynamodb:Query" ], "Resource": [ "arn:aws:dynamodb:ap-northeast-1:<Account ID>:table/projects", "arn:aws:dynamodb:ap-northeast-1:<Account ID>:table/projects/index/*" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] } ࣮ફserverless #cmdevio 37
S3ͷ߹5 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action":
["s3:ListBucket"], "Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"], "Condition": {"StringLike": {"s3:prefix": ["cognito/mynumbersgame/"]}} }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}/*" ] } ] } 5 http://docs.aws.amazon.com/jajp/IAM/latest/UserGuide/accesspolicies_examples.html#iam- policy-example-cognito ࣮ફserverless #cmdevio 38
͜ͷΑ͏ͳม͕ར༻Մೳ3 • ${cognito-identity.amazonaws.com:sub} • ${www.amazon.com:user_id} • ${accounts.google.com:sub} • ${graph.facebook.com:id} 3
http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/specifying- conditions.html http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/ WIF.RunningYourApp.html ࣮ફserverless #cmdevio 39
OIDC Provider • Web/UserPoolsͷଞʹFederated Identityʹઃ ఆՄೳͳIdentity Provider • GoogleSalseforceͳͲ •
IAMʹOIDC ProviderΛՃ͠ɺFederated Identityʹઃఆ͢Δ • SAML͑ΔΑ͏ʹͳΓ·ͨ͠ ࣮ફserverless #cmdevio 40
࣮ફserverless #cmdevio 41
େྔϦΫΤετ࣌ͷ੍ݶ • ʮ1 ͭͷϦετ/API ࢀরݺͼग़͠ͷ࠷େ 60ʯ4 • ΞϓϦ͔Βͷݺͼग़͠ͷ੍ݶແ͍ʁ • ؒҧ͑ͯผϦʔδϣϯΛݺͼ·ͬͯͨ࣌͘
ʹʮ੍ݶ͠ͱ͍ͨΑʯͱݴΘΕͨ 4 http://docs.aws.amazon.com/ja_jp/cognito/latest/developerguide/limits.html ࣮ફserverless #cmdevio 42
Trust Relationship • ͲͷTokenൃߦऀʹରͯ͠Assume RoleΛڐՄ ͢Δ͔ͷϙϦγʔ • cognitoͷΟβʔυ͔ΒRoleΛ࡞ΔͱͪΌΜ ͱઃఆ͞Ε͍ͯΔ •
ࣗͰฤू͢ΔͱϋϚΔͷͰҙ AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity ࣮ફserverless #cmdevio 43
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {
"Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:aaaa-bbbb-cccc-dddd-1111-2222" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ࣮ફserverless #cmdevio 44
• audͰCognito Identity Pool IDΛࢦఆ • amrͰϓϩόΠμΛࢦఆ • ྫ͑facebookͷ߹ "ForAnyValue:StringLike":
{ "cognito-identity.amazonaws.com:amr": "graph.facebook.com" } ࣮ફserverless #cmdevio 45
·ͱΊ ࣮ફserverless #cmdevio 46
• User PoolsͰೝূػೳΛAWSʹҠͤΔ • Cognito Identityͱ࿈ܞͯ͠ߋʹػೳΛAWSʹ ҠͤΔ • ࣗͷϏδωεʹԊ͏ΓํͰαʔόϨεʹ ͔͍ͬͯ͜͏
࣮ફserverless #cmdevio 47
End ࣮ફserverless #cmdevio 48