Upgrade to Pro — share decks privately, control downloads, hide ads and more …

cognito-userpools-in-production

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for tannai tannai
August 02, 2016
Technology
8.8k
4

 cognito-userpools-in-production

http://classmethod.connpass.com/event/35523/
#cmdevio

Avatar for tannai

tannai

August 02, 2016

More Decks by tannai

See All by tannai
redash patche at dmm
Avatar for tannai yuukigoodman
0
760
akibago-2018-10-30
Avatar for tannai yuukigoodman
0
84
serverless-design-and-streaming-date-processing-service
Avatar for tannai yuukigoodman
0
1k
alexa-changes-development-process
Avatar for tannai yuukigoodman
0
1.6k
VUIとAlexaによるちょっと未来の体験の話2
Avatar for tannai yuukigoodman
0
900
regrowth2016alexa
Avatar for tannai yuukigoodman
0
1.3k
Rails App Deployment with CodeDeploy
Avatar for tannai yuukigoodman
0
1.6k
aws-lambda-in-practice
Avatar for tannai yuukigoodman
2
2.1k
serverless-from-today
Avatar for tannai yuukigoodman
2
2.2k

Other Decks in Technology

See All in Technology
地球に⽣きるAI —GeoAIと「中間領域」— / AI Living on Earth — GeoAI and the “Intermediate Layer” —
Avatar for Kiyota Yoji, Ph.D. ykiyota
0
270
Claude Code×Terraform IaC テンプレート駆動開発
Avatar for Itou Hideki itouhi
1
490
SIer20年! 培ったスキルがスタートアップで輝く時
Avatar for しゅういちろ shucho0103
0
830
小さくはじめるSLI/SLO ~育てながら組織に定着させる実践知~ / Starting Small with SLI/SLOs: Building Adoption Through Continuous Growth
Avatar for Narimichi Takamura nari_ex
3
1.4k
Claude Code の Sandbox 機能を Anthropic Sandbox Runtime(srt) で試そう!/lets-play-anthropic-sandbox-runtime
Avatar for tomoki10 tomoki10
1
530
NAB Show 2026 動画技術関連レポート / NAB Show 2026 Report
Avatar for CyberAgent cyberagentdevelopers
PRO
0
160
失敗を資産に変えるClaude Code
Avatar for Shinya Saita shinyasaita
0
300
Agentic Web
Avatar for dynamis dynamis
1
200
Snowflakeと仲良くなる第一歩
Avatar for あべ coco_se
4
410
AI-DLCを活用した高品質・安全なAI駆動開発実践 / AI Driven Development with AI-DLC
Avatar for 吉田真吾 yoshidashingo
0
170
[モダンアプリ勉強会]今更聞けないGit/GitHub入門
Avatar for つくぼし tsukuboshi
0
360
Agent Skills設計で柔軟性と硬さのバランスが難しい話
Avatar for nassy nassy20
0
110

Featured

See All Featured
Skip the Path - Find Your Career Trail
Avatar for Mark Kilby mkilby
1
140
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
2
390
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
122
22k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
356
21k
Amusing Abliteration
Avatar for ianozsvald ianozsvald
1
200
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.3k
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
2
390
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
9
2k
Ruling the World: When Life Gets Gamed
Avatar for Sebastian Deterding codingconduct
0
250
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1.4k

Transcript

  1. ࣮ࡍʹ࢖͏ Cognito UserPools Classmethod, Inc. Yuki Tannai ࣮ફSERVERLESS #cmdevio ࣮ફserverless

    #cmdevio 1

  2. ࣗݾ঺հ • ୮಺༏ل • @yuukigoodman • αʔόͰಈ͘ϓϩάϥϜͱ͔AWS ࣮ફserverless #cmdevio 2

  3. Agenda • ServerlessͱCognito • Cognito User Pools • CognitoΛ࣮ࡍʹ࢖͏ͨΊʹ ࣮ફserverless

    #cmdevio 3

  4. Serverlessͱ Cognito ࣮ફserverless #cmdevio 4

  5. ServerlessΞʔΩςΫνϟ ͱ͸ ࣮ફserverless #cmdevio 5

  6. ඇৗறܕϓϩηε ΛΠϕϯτʹΑͬͯ τϦΨʔ͢ΔΠϯϑ ϥετϥΫνϟ1 — @zerobase 1 http://qiita.com/zerobase/items/3bc0d15980b472af841d ࣮ફserverless #cmdevio

    6

  7. ServerlessΞʔΩςΫνϟͱ͸ • Πϯϑϥ΍ΞϓϦͷΠϕϯτΛτϦΨʔʹ࣮ߦ ͞ΕΔඇৗறϓϩηε • ίʔυͷ࣮ߦ؀ڥ͕ϑϧϚωʔδυαʔϏεͱ ͯ͠ఏڙ͞ΕΔ • AWS Lambda͕࣮ݱํ๏ͷ୅ද֨ͱͯ͠༗໊

    ࣮ફserverless #cmdevio 7

  8. serverlessͰղܾ͍ͨ͠໰୊͸ • EC2ແ͠Ͱ؆୯ͳϓϩάϥϜΛӡ༻͍ͨ͠ • ӡ༻ͷखؒ • ͓ۚͷઅ໿ • ΞϓϦέʔγϣϯ͔Βຊ࣭Ͱͳ͍ίʔυΛগͳ ͍ͨ͘͠

    LambdaҎ֎ͷΞϓϩʔν΋͋Δ ࣮ફserverless #cmdevio 8

  9. Amazon Cognito ࣮ફserverless #cmdevio 9

  10. Cognitoͱ͸ • ΞϓϦέʔγϣϯͷೝূɾೝՄΛαϙʔτ͢Δ ϑϧϚωʔδυαʔϏε ࣮ફserverless #cmdevio 10

  11. • Cognito Identity • Federated Identity • User Pools •

    Cognito Sync • Sync Store • Cognito Events • Cognito Streams ࣮ફserverless #cmdevio 11

  12. Cognito Identity • ֎෦Ͱೝূ͞ΕͨϢʔβʹରͯ͠ػೳΛఏڙ͢ Δ • Federated Identity • ֎෦ͷೝূαʔϏε͔Βͷ໊دͤ

    • ಗ໊Ϣʔβͱͯ͠ͷೝূ΋Մೳ • ෳ਺ͷIdentity ProviderΛͻͱͭͷIdentity ͱͯ͠ϚʔδͰ͖Δ ࣮ફserverless #cmdevio 12

  13. • STS • AWS΁ͷΞΫηεΩʔΛ҆શʹൃߦ͢Δ • AssumeRole΍ConditionઅͳͲIAMͱͷ࿈ ܞ ࣮ફserverless #cmdevio 13

  14. ࣮ફserverless #cmdevio 14

  15. ࣮ફserverless #cmdevio 15

  16. Cognito Sync • ϢʔβσʔλͷಉظػೳΛఏڙ • Sync Store • KVSͷΑ͏ʹ࢖͑ΔσʔλετΞ •

    SDKܦ༝ͳΒϩʔΧϧετϨʔδͱͷ࿈ܞ ΋؆୯ ࣮ફserverless #cmdevio 16

  17. • Cognito Streams • SyncΠϕϯτΛड৴ͯ͠Kinesis Streamsʹ ૹ৴͢Δ • Cognito Events

    • SyncΠϕϯτΛड৴ͯ͠Lambda Function Λಉظ࣮ߦ͢Δ ࣮ફserverless #cmdevio 17

  18. Cognito User Pools ࣮ફserverless #cmdevio 18

  19. Cognito User Poolsͱ͸ • AWS͕ఏڙ͢ΔIdentity Provider • Ϣʔβͷొ࿥΍؅ཧɺೝূΛߦͳ͏͜ͱ͕Ͱ͖ Δ •

    Federated Identityͱ΋࿈ܞͰ͖Δ • ύεϫʔυ΍MFAɺ֬ೝϝʔϧͷૹ৴ͳͲҰൠ తͳWebαʔϏεʹඞཁͳೝূػೳΛҰ௨Γ ͍࣋ͬͯΔ ࣮ફserverless #cmdevio 19

  20. ͍ͭʹGA! ࣮ફserverless #cmdevio 20

  21. σϞ awslabs/aws-cognito-angular2-quickstart2 2 https://github.com/awslabs/aws-cognito-angular2-quickstart ࣮ફserverless #cmdevio 21

  22. User Poolsͷػೳ ࣮ફserverless #cmdevio 22

  23. Ϣʔβొ࿥ • ϢχʔΫͳϢʔβ໊Λઃఆ • ύεϫʔυೝূͱɺΦϓγϣϯͰMFAΛར༻ Մೳ • ύεϫʔυϙϦγʔΛઃఆՄೳ ࣮ફserverless #cmdevio

    23

  24. ΞτϦϏϡʔτ • ࢖ΘΕΔػձ͕ଟ͍ϢʔβଐੑΛઃఆՄೳ • ΤΠϦΞεʹΑͬͯɺϩάΠϯͰ࢖༻͢Δଐੑ ΛࢦఆͰ͖Δ • ಠࣗͷΞτϦϏϡʔτΛઃఆͰ͖Δ ࣮ફserverless #cmdevio

    24

  25. ϝʔϧɾSMSͷ֬ೝͱMFA • Ϣʔβొ࿥࣌ɺҰ࣌తͳೝূίʔυΛൃߦ͢Δ ͜ͱͰ༗ޮͳѼઌͰ͋Δ͜ͱΛ֬ೝ • ϝοηʔδͷςϯϓϨʔτ΋ฤूՄೳ • MFAͷઃఆ͕Մೳ ࣮ફserverless #cmdevio

    25

  26. σόΠετϥοΩϯά • ಉҰϢʔβ͕ϩάΠϯঢ়ଶΛҡ࣋Ͱ͖Δ୺຤਺ ͷઃఆ • ༗ޮʹ͢ΔͱɺॳճϩάΠϯ࣌ʹೝূͱ͸ผʹ τϥοΩϯά༻్ͷτʔΫϯ͕σόΠε͝ͱʹ ൃߦ͞ΕΔ • τϥοΩϯά͕༗ޮͳ୺຤͸MFAΛεΩοϓ͢

    Δ͜ͱ΋Ͱ͖Δ ࣮ફserverless #cmdevio 26

  27. σόΠετϥοΩϯά • ؅ཧऀ͸ɺSDKඇެ։ͷREST API͔ΒσόΠε ϦετΛऔಘͰ͖Δ • Global Sign-out(ಉҰϢʔβͷશ୺຤αΠϯΞ ΢τ)΍؅ཧऀݖݶͰͷαΠϯΞ΢τ΋Մೳ ࣮ફserverless

    #cmdevio 27

  28. App • ඇೝূϢʔβ͕ϩάΠϯ΍ύεϫʔυ࠶ൃߦͳ ͲͷAPIΛ࣮ߦ͢ΔͨΊͷΤϯςΟςΟ • TokenͱSecretɻϒϥ΢βΞϓϦ͸SecretΛ࢖ Θͳ͍͜ͱ΋Ͱ͖Δ ࣮ફserverless #cmdevio 28

  29. App • ྫ͑͹ϓϥοτϑΥʔϜ͝ͱͳͲɺෳ਺࡞੒Մ ೳ • Relying PartyͷΑ͏ͳෆಛఆͷୈࡾऀʹఏڙ͢ Δ༻్Ͱ͸࢖Θͳ͍ ࣮ફserverless #cmdevio

    29

  30. Trigger • ॴఆͷΠϕϯτΛτϦΨʔʹͯ͠Lambda Functionͷ࣮ߦ͕Մೳ • ηΩϡϦςΟػೳͷΧελϚΠζ΍ɺΠϕϯτ τϥοΩϯάͳͲ༷ʑͳ֦ு͕Մೳ ࣮ફserverless #cmdevio 30

  31. Cognito Identity࿈ܞ • Federated IdentityͷϓϩόΠμͱͯ͠ར༻Մ ೳ • User PoolsೝূϢʔβʹରͯ͠AWSϦιʔε΁ ͷΞΫηεݖݶΛ҆શʹൃߦͰ͖Δ

    ࣮ફserverless #cmdevio 31

  32. ࣮ફserverless #cmdevio 32

  33. API Gateway࿈ܞ • API GatewayͰͷೝՄͰɺUser Poolsͷೝূ৘ ใΛར༻Ͱ͖Δ • API GatewayͷϚωδϝϯτίϯιʔϧ͔Β

    User PoolΛઃఆ͢Δ ࣮ફserverless #cmdevio 33

  34. ࣮ફserverless #cmdevio 34

  35. CognitoΛ ࣮ࡍʹ࢖͏ͨΊʹ ࣮ફserverless #cmdevio 35

  36. ϙϦγʔม਺ • CognitoʹׂΓ౰ͯΒΕΔIDʹҰக͢ΔϦιʔ εͷΈ΁ͷݖݶൃߦ • αʔόΛհ͞ͳ͍ॲཧΛ҆શʹߦ͑Δ • IAMͷConditionઅʹม਺Λهࡌ ࣮ફserverless #cmdevio

    36

  37. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "dynamodb:Query" ], "Resource": [ "arn:aws:dynamodb:ap-northeast-1:<Account ID>:table/projects", "arn:aws:dynamodb:ap-northeast-1:<Account ID>:table/projects/index/*" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] } ࣮ફserverless #cmdevio 37

  38. S3ͷ৔߹5 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action":

    ["s3:ListBucket"], "Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"], "Condition": {"StringLike": {"s3:prefix": ["cognito/mynumbersgame/"]}} }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/mynumbersgame/${cognito-identity.amazonaws.com:sub}/*" ] } ] } 5 http://docs.aws.amazon.com/jajp/IAM/latest/UserGuide/accesspolicies_examples.html#iam- policy-example-cognito ࣮ફserverless #cmdevio 38

  39. ͜ͷΑ͏ͳม਺͕ར༻Մೳ3 • ${cognito-identity.amazonaws.com:sub} • ${www.amazon.com:user_id} • ${accounts.google.com:sub} • ${graph.facebook.com:id} 3

    http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/specifying- conditions.html http://docs.aws.amazon.com/ja_jp/amazondynamodb/latest/developerguide/ WIF.RunningYourApp.html ࣮ફserverless #cmdevio 39

  40. OIDC Provider • Web/UserPoolsͷଞʹFederated Identityʹઃ ఆՄೳͳIdentity Provider • Google΍SalseforceͳͲ •

    IAMʹOIDC ProviderΛ௥Ճ͠ɺFederated Identityʹઃఆ͢Δ • SAML΋࢖͑ΔΑ͏ʹͳΓ·ͨ͠ ࣮ફserverless #cmdevio 40

  41. ࣮ફserverless #cmdevio 41

  42. େྔϦΫΤετ࣌ͷ੍ݶ • ʮ1 ͭͷϦετ/API ࢀরݺͼग़͠ͷ࠷େ਺ 60ʯ4 • ΞϓϦ͔Βͷݺͼग़͠ͷ੍ݶ͸ແ͍ʁ • ؒҧ͑ͯผϦʔδϣϯΛݺͼ·ͬͯͨ࣌͘

    ʹʮ੍ݶ͠ͱ͍ͨΑʯͱݴΘΕͨ 4 http://docs.aws.amazon.com/ja_jp/cognito/latest/developerguide/limits.html ࣮ફserverless #cmdevio 42

  43. Trust Relationship • ͲͷTokenൃߦऀʹରͯ͠Assume RoleΛڐՄ ͢Δ͔ͷϙϦγʔ • cognitoͷ΢Οβʔυ͔ΒRoleΛ࡞ΔͱͪΌΜ ͱઃఆ͞Ε͍ͯΔ •

    ࣗ෼Ͱฤू͢ΔͱϋϚΔͷͰ஫ҙ AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity ࣮ફserverless #cmdevio 43

  44. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {

    "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:aaaa-bbbb-cccc-dddd-1111-2222" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ࣮ફserverless #cmdevio 44

  45. • audͰCognito Identity Pool IDΛࢦఆ • amrͰϓϩόΠμΛࢦఆ • ྫ͑͹facebookͷ৔߹ "ForAnyValue:StringLike":

    { "cognito-identity.amazonaws.com:amr": "graph.facebook.com" } ࣮ફserverless #cmdevio 45

  46. ·ͱΊ ࣮ફserverless #cmdevio 46

  47. • User PoolsͰೝূػೳΛAWSʹҠͤΔ • Cognito Identityͱ࿈ܞͯ͠ߋʹػೳΛAWSʹ ҠͤΔ • ࣗ෼ͷϏδωεʹԊ͏΍ΓํͰαʔόϨεʹ޲ ͔͍ͬͯ͜͏

    ࣮ફserverless #cmdevio 47

  48. End ࣮ફserverless #cmdevio 48