Upgrade to Pro — share decks privately, control downloads, hide ads and more …

cognito-userpools-in-production

06ecc96de5ec5473516f5c46c33a4a24?s=47 tannai
August 02, 2016

 cognito-userpools-in-production

06ecc96de5ec5473516f5c46c33a4a24?s=128

tannai

August 02, 2016
Tweet

Transcript

  1. ࣮ࡍʹ࢖͏ Cognito UserPools Classmethod, Inc. Yuki Tannai ࣮ફSERVERLESS #cmdevio ࣮ફserverless

    #cmdevio 1
  2. ࣗݾ঺հ • ୮಺༏ل • @yuukigoodman • αʔόͰಈ͘ϓϩάϥϜͱ͔AWS ࣮ફserverless #cmdevio 2

  3. Agenda • ServerlessͱCognito • Cognito User Pools • CognitoΛ࣮ࡍʹ࢖͏ͨΊʹ ࣮ફserverless

    #cmdevio 3
  4. Serverlessͱ Cognito ࣮ફserverless #cmdevio 4

  5. ServerlessΞʔΩςΫνϟ ͱ͸ ࣮ફserverless #cmdevio 5

  6. ඇৗறܕϓϩηε ΛΠϕϯτʹΑͬͯ τϦΨʔ͢ΔΠϯϑ ϥετϥΫνϟ1 — @zerobase 1 http://qiita.com/zerobase/items/3bc0d15980b472af841d ࣮ફserverless #cmdevio

    6
  7. ServerlessΞʔΩςΫνϟͱ͸ • Πϯϑϥ΍ΞϓϦͷΠϕϯτΛτϦΨʔʹ࣮ߦ ͞ΕΔඇৗறϓϩηε • ίʔυͷ࣮ߦ؀ڥ͕ϑϧϚωʔδυαʔϏεͱ ͯ͠ఏڙ͞ΕΔ • AWS Lambda͕࣮ݱํ๏ͷ୅ද֨ͱͯ͠༗໊

    ࣮ફserverless #cmdevio 7
  8. serverlessͰղܾ͍ͨ͠໰୊͸ • EC2ແ͠Ͱ؆୯ͳϓϩάϥϜΛӡ༻͍ͨ͠ • ӡ༻ͷखؒ • ͓ۚͷઅ໿ • ΞϓϦέʔγϣϯ͔Βຊ࣭Ͱͳ͍ίʔυΛগͳ ͍ͨ͘͠

    LambdaҎ֎ͷΞϓϩʔν΋͋Δ ࣮ફserverless #cmdevio 8
  9. Amazon Cognito ࣮ફserverless #cmdevio 9

  10. Cognitoͱ͸ • ΞϓϦέʔγϣϯͷೝূɾೝՄΛαϙʔτ͢Δ ϑϧϚωʔδυαʔϏε ࣮ફserverless #cmdevio 10

  11. • Cognito Identity • Federated Identity • User Pools •

    Cognito Sync • Sync Store • Cognito Events • Cognito Streams ࣮ફserverless #cmdevio 11
  12. Cognito Identity • ֎෦Ͱೝূ͞ΕͨϢʔβʹରͯ͠ػೳΛఏڙ͢ Δ • Federated Identity • ֎෦ͷೝূαʔϏε͔Βͷ໊دͤ

    • ಗ໊Ϣʔβͱͯ͠ͷೝূ΋Մೳ • ෳ਺ͷIdentity ProviderΛͻͱͭͷIdentity ͱͯ͠ϚʔδͰ͖Δ ࣮ફserverless #cmdevio 12
  13. • STS • AWS΁ͷΞΫηεΩʔΛ҆શʹൃߦ͢Δ • AssumeRole΍ConditionઅͳͲIAMͱͷ࿈ ܞ ࣮ફserverless #cmdevio 13

  14. ࣮ફserverless #cmdevio 14

  15. ࣮ફserverless #cmdevio 15

  16. Cognito Sync • ϢʔβσʔλͷಉظػೳΛఏڙ • Sync Store • KVSͷΑ͏ʹ࢖͑ΔσʔλετΞ •

    SDKܦ༝ͳΒϩʔΧϧετϨʔδͱͷ࿈ܞ ΋؆୯ ࣮ફserverless #cmdevio 16
  17. • Cognito Streams • SyncΠϕϯτΛड৴ͯ͠Kinesis Streamsʹ ૹ৴͢Δ • Cognito Events

    • SyncΠϕϯτΛड৴ͯ͠Lambda Function Λಉظ࣮ߦ͢Δ ࣮ફserverless #cmdevio 17
  18. Cognito User Pools ࣮ફserverless #cmdevio 18

  19. Cognito User Poolsͱ͸ • AWS͕ఏڙ͢ΔIdentity Provider • Ϣʔβͷొ࿥΍؅ཧɺೝূΛߦͳ͏͜ͱ͕Ͱ͖ Δ •

    Federated Identityͱ΋࿈ܞͰ͖Δ • ύεϫʔυ΍MFAɺ֬ೝϝʔϧͷૹ৴ͳͲҰൠ తͳWebαʔϏεʹඞཁͳೝূػೳΛҰ௨Γ ͍࣋ͬͯΔ ࣮ફserverless #cmdevio 19
  20. ͍ͭʹGA! ࣮ફserverless #cmdevio 20

  21. σϞ awslabs/aws-cognito-angular2-quickstart2 2 https://github.com/awslabs/aws-cognito-angular2-quickstart ࣮ફserverless #cmdevio 21

  22. User Poolsͷػೳ ࣮ફserverless #cmdevio 22

  23. Ϣʔβొ࿥ • ϢχʔΫͳϢʔβ໊Λઃఆ • ύεϫʔυೝূͱɺΦϓγϣϯͰMFAΛར༻ Մೳ • ύεϫʔυϙϦγʔΛઃఆՄೳ ࣮ફserverless #cmdevio

    23
  24. ΞτϦϏϡʔτ • ࢖ΘΕΔػձ͕ଟ͍ϢʔβଐੑΛઃఆՄೳ • ΤΠϦΞεʹΑͬͯɺϩάΠϯͰ࢖༻͢Δଐੑ ΛࢦఆͰ͖Δ • ಠࣗͷΞτϦϏϡʔτΛઃఆͰ͖Δ ࣮ફserverless #cmdevio

    24
  25. ϝʔϧɾSMSͷ֬ೝͱMFA • Ϣʔβొ࿥࣌ɺҰ࣌తͳೝূίʔυΛൃߦ͢Δ ͜ͱͰ༗ޮͳѼઌͰ͋Δ͜ͱΛ֬ೝ • ϝοηʔδͷςϯϓϨʔτ΋ฤूՄೳ • MFAͷઃఆ͕Մೳ ࣮ફserverless #cmdevio

    25
  26. σόΠετϥοΩϯά • ಉҰϢʔβ͕ϩάΠϯঢ়ଶΛҡ࣋Ͱ͖Δ୺຤਺ ͷઃఆ • ༗ޮʹ͢ΔͱɺॳճϩάΠϯ࣌ʹೝূͱ͸ผʹ τϥοΩϯά༻్ͷτʔΫϯ͕σόΠε͝ͱʹ ൃߦ͞ΕΔ • τϥοΩϯά͕༗ޮͳ୺຤͸MFAΛεΩοϓ͢

    Δ͜ͱ΋Ͱ͖Δ ࣮ફserverless #cmdevio 26
  27. σόΠετϥοΩϯά • ؅ཧऀ͸ɺSDKඇެ։ͷREST API͔ΒσόΠε ϦετΛऔಘͰ͖Δ • Global Sign-out(ಉҰϢʔβͷશ୺຤αΠϯΞ ΢τ)΍؅ཧऀݖݶͰͷαΠϯΞ΢τ΋Մೳ ࣮ફserverless

    #cmdevio 27
  28. App • ඇೝূϢʔβ͕ϩάΠϯ΍ύεϫʔυ࠶ൃߦͳ ͲͷAPIΛ࣮ߦ͢ΔͨΊͷΤϯςΟςΟ • TokenͱSecretɻϒϥ΢βΞϓϦ͸SecretΛ࢖ Θͳ͍͜ͱ΋Ͱ͖Δ ࣮ફserverless #cmdevio 28

  29. App • ྫ͑͹ϓϥοτϑΥʔϜ͝ͱͳͲɺෳ਺࡞੒Մ ೳ • Relying PartyͷΑ͏ͳෆಛఆͷୈࡾऀʹఏڙ͢ Δ༻్Ͱ͸࢖Θͳ͍ ࣮ફserverless #cmdevio

    29
  30. Trigger • ॴఆͷΠϕϯτΛτϦΨʔʹͯ͠Lambda Functionͷ࣮ߦ͕Մೳ • ηΩϡϦςΟػೳͷΧελϚΠζ΍ɺΠϕϯτ τϥοΩϯάͳͲ༷ʑͳ֦ு͕Մೳ ࣮ફserverless #cmdevio 30

  31. Cognito Identity࿈ܞ • Federated IdentityͷϓϩόΠμͱͯ͠ར༻Մ ೳ • User PoolsೝূϢʔβʹରͯ͠AWSϦιʔε΁ ͷΞΫηεݖݶΛ҆શʹൃߦͰ͖Δ

    ࣮ફserverless #cmdevio 31
  32. ࣮ફserverless #cmdevio 32

  33. API Gateway࿈ܞ • API GatewayͰͷೝՄͰɺUser Poolsͷೝূ৘ ใΛར༻Ͱ͖Δ • API GatewayͷϚωδϝϯτίϯιʔϧ͔Β

    User PoolΛઃఆ͢Δ ࣮ફserverless #cmdevio 33
  34. ࣮ફserverless #cmdevio 34

  35. CognitoΛ ࣮ࡍʹ࢖͏ͨΊʹ ࣮ફserverless #cmdevio 35

  36. ϙϦγʔม਺ • CognitoʹׂΓ౰ͯΒΕΔIDʹҰக͢ΔϦιʔ εͷΈ΁ͷݖݶൃߦ • αʔόΛհ͞ͳ͍ॲཧΛ҆શʹߦ͑Δ • IAMͷConditionઅʹม਺Λهࡌ ࣮ફserverless #cmdevio

    36
  37. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "dynamodb:Query" ], "Resource": [ "arn:aws:dynamodb:ap-northeast-1:<Account ID>:table/projects", "arn:aws:dynamodb:ap-northeast-1:<Account ID>:table/projects/index/*" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] } ࣮ફserverless #cmdevio 37
  38. S3ͷ৔߹5 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action":

    ["s3:ListBucket"], "Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"], "Condition": {"StringLike": {"s3:prefix": ["cognito/mynumbersgame/"]}} }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}/*" ] } ] } 5 http://docs.aws.amazon.com/jajp/IAM/latest/UserGuide/accesspolicies_examples.html#iam- policy-example-cognito ࣮ફserverless #cmdevio 38
  39. ͜ͷΑ͏ͳม਺͕ར༻Մೳ3 • ${cognito-identity.amazonaws.com:sub} • ${www.amazon.com:user_id} • ${accounts.google.com:sub} • ${graph.facebook.com:id} 3

    http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/specifying- conditions.html http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/ WIF.RunningYourApp.html ࣮ફserverless #cmdevio 39
  40. OIDC Provider • Web/UserPoolsͷଞʹFederated Identityʹઃ ఆՄೳͳIdentity Provider • Google΍SalseforceͳͲ •

    IAMʹOIDC ProviderΛ௥Ճ͠ɺFederated Identityʹઃఆ͢Δ • SAML΋࢖͑ΔΑ͏ʹͳΓ·ͨ͠ ࣮ફserverless #cmdevio 40
  41. ࣮ફserverless #cmdevio 41

  42. େྔϦΫΤετ࣌ͷ੍ݶ • ʮ1 ͭͷϦετ/API ࢀরݺͼग़͠ͷ࠷େ਺ 60ʯ4 • ΞϓϦ͔Βͷݺͼग़͠ͷ੍ݶ͸ແ͍ʁ • ؒҧ͑ͯผϦʔδϣϯΛݺͼ·ͬͯͨ࣌͘

    ʹʮ੍ݶ͠ͱ͍ͨΑʯͱݴΘΕͨ 4 http://docs.aws.amazon.com/ja_jp/cognito/latest/developerguide/limits.html ࣮ફserverless #cmdevio 42
  43. Trust Relationship • ͲͷTokenൃߦऀʹରͯ͠Assume RoleΛڐՄ ͢Δ͔ͷϙϦγʔ • cognitoͷ΢Οβʔυ͔ΒRoleΛ࡞ΔͱͪΌΜ ͱઃఆ͞Ε͍ͯΔ •

    ࣗ෼Ͱฤू͢ΔͱϋϚΔͷͰ஫ҙ AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity ࣮ફserverless #cmdevio 43
  44. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {

    "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:aaaa-bbbb-cccc-dddd-1111-2222" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ࣮ફserverless #cmdevio 44
  45. • audͰCognito Identity Pool IDΛࢦఆ • amrͰϓϩόΠμΛࢦఆ • ྫ͑͹facebookͷ৔߹ "ForAnyValue:StringLike":

    { "cognito-identity.amazonaws.com:amr": "graph.facebook.com" } ࣮ફserverless #cmdevio 45
  46. ·ͱΊ ࣮ફserverless #cmdevio 46

  47. • User PoolsͰೝূػೳΛAWSʹҠͤΔ • Cognito Identityͱ࿈ܞͯ͠ߋʹػೳΛAWSʹ ҠͤΔ • ࣗ෼ͷϏδωεʹԊ͏΍ΓํͰαʔόϨεʹ޲ ͔͍ͬͯ͜͏

    ࣮ફserverless #cmdevio 47
  48. End ࣮ફserverless #cmdevio 48