I am trying to figure out how to retrieve Evidently feature flags in an iOS app. I did create the flag on AWS console and also an UnAuthenticated IAM Role to use with Evidently.
I have so far the Cognito authentication code:
// Initialize the Amazon Cognito credentials provider
let credentialsProvider = AWSCognitoCredentialsProvider(regionType:.USEast1, identityPoolId:"us-east-1:xxx")
let configuration = AWSServiceConfiguration(region:.USEast1, credentialsProvider:credentialsProvider)
AWSServiceManager.default().defaultServiceConfiguration = configuration
BUT the iOS SDK does not seem to include Evidently or at least I could not find it.
Any advice or examples on how to call Evidently?
Can Evidently even be used with iOS?
There seems to be APIs to call on Evidently REST api (https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_GetFeature.html)
but I did not find any example on how to use it with all the authentication flow. Also cannot figure out if it would be possible to authenticate with the Cognito SDK and then call the Evidently using the API.
Related
I have implemented a AWS Lambda function and used the gateway to return the fulling data:
var param =
{
IdentityPoolId: "actualIdentityPoolId",
Logins: {} // To have provider name in a variable
};
param.Logins["com.testing.userLogin"] = userId;
cognitoidentity.getOpenIdTokenForDeveloperIdentity(param,
function(err, data)
{
if (err) return fn(err); // an error occurred
else fn(null, data.IdentityId, data.Token); // successful response
});
So the identityId and token get sent back to the ios device. In my device I try to connect to an AWS DynamoDB table but access is denied. How do I use the identityId and token to gain access to the tables?
I have set up roles in IAM for Unauth which denies Dydnamo and Auth which gives access to the tables through its policies.
I am trying to implement authentication using: http://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
I see there are two flows which are Basic and Enhanced. The documentation says most users will use the enhanced flow and that implements GetCredentialForIdentity.
How is that implemented in my ios code so that I can switch my role from unauth to auth and can access to dynamodb? How long will this access last? I would like to do this all in my ios code instead of using lambda or something else like that.
If your user is unauthenticated, then logs in you need to clear your credentials, and your 'logins' method should now return a properly updated logins map.
Here is the documentation to help you:
http://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
Double check your DynanoDB Roles for authenticated access your DynamoDB resource. An example role for this are on the following page of the developer guide you referenced. The page is called "IAM Roles" and the last section is the important one: "Fine-Grained Access to Amazon DynamoDB".
Stick with your plan to use the Enhanced Authflow. It is recommended and makes less calls to authenticate (your users will appreciate this). Just make sure you mobile clients call GetCredentialsForIdentity from iOS.
From the Enhanced Authflow documentation further down your page:
The GetCredentialsForIdentity API can be called after you establish an identity ID. This API is functionally equivalent to calling GetOpenIdToken followed by AssumeRoleWithWebIdentity.
The AssumeRoleWithWebIdentity is the important piece that allows your user to assume the Role that gets access to the DynamoDB resource. Cognito will take care of the rest as long as you set up the Roles correctly within the Cognito console:
In order for Amazon Cognito to call AssumeRoleWithWebIdentity on your behalf, your identity pool must have IAM roles associated with it. You can do this via the Amazon Cognito Console or manually via the SetIdentityPoolRoles operation (see the API reference)
I am attempting to create an iOS app in Swift that uses the following authentication service using AWS Lambda - https://github.com/danilop/LambdAuth
It uses the AWS Mobile SDK for iOS to communicate with DynamoDB and Lambda - http://docs.aws.amazon.com/mobile/sdkforios/developerguide/
Here is the sample code for the website that utilizes the token returned from the Lambda login function, I imagine the Swift code will be something similar - https://github.com/danilop/LambdAuth/blob/master/www/login.html#L69
Here is the cloud function that generates the token for the user - https://github.com/danilop/LambdAuth/blob/master/LambdAuthLogin/index.js#L102
I have created an identity pool in AWS Cognito (Federated Identities) and I have two roles, auth and unauth. My application appears to always being the unauth role (arn:aws:sts::123123123:assumed-role/_unauth_MOBILEHUB_123123123/CognitoIdentityCredentials). My users are being stored in a dynamodb table, with a salted password.
The root of the problem is that I don't know the correct Swift code to write after I receive a login token from the service to transition my user into the authenticated role (use the auth arn). I want it to be using the auth role for every service call to AWS (dynamodb, lambda, etc). I'm hoping that someone can point me in the right direction - thank you.
As per the design in Danilo's book, if you are using the aws-sdk javascript , you should define your objects like :
var creds = new AWS.CognitoIdentityCredentials({
IdentityPoolId: //hard coded value for your system//
})
AWS.config.update({
region: 'us-east-1',
credentials: creds
});
var lambda = new AWS.Lambda();
then once you receive your identityId and token , you should assign them to you creds as follow :
creds.params['IdentityId'] = output.identityId;
creds.params['Logins'] = {};
creds.params['Logins']['cognito-identity.amazonaws.com'] = output.token;
creds.expired = true;
where output is the response from your LambdAuthLogin Lambda function.
Authenticated roles will only be used when you use one of the supported public providers (Facebook, Google, Twitter, Login With Amazon), OIDC provider, SAML provider or Cognito User Pool users.
Amazon Cognito User Pools provides you the solution for user registration, authentication and management. Is there is reason that you prefer using Lambda Auth over that?
My iOS application talks to a service(lets call this service "Service X") which is built on top of AWS. Service X provides RESTful APIs to upload content. When my application sends a PUT request to service X for creation of new asset, service X returns the information needed to perform multipart upload to S3. It contains "access key","secret key" & "session token" along with "asset_arn", "upload id" & "S3 URL for multipart uploads".
I am not sure how to use this information to perform multipart uploads using AWS iOS SDK. The SDK provides Cognito to manage credentials but i already have credentials with me. How can i proceed with this?
I can even use S3's REST API for performing multipart uploads but i am not sure how should i pass on the credential information.
You should check out https://github.com/aws/aws-sdk-ios/blob/master/AWSCore/Authentication/AWSCredentialsProvider.m and use your static credentials there. But I highly recommend you to use Cognito for credential management. Static credentials are dangerous for an app and should not be used in a production app.
Thanks,
Rohan
I have integrated my User Pools setup with the federated identity flow with the 9 steps from the relevant documentation. I'm following the documentation and using the enhanced auth flow.
There is however an additional step which I cannot quite understand that is possibly causing my experienced problem with the IOS SDK. The guide mentions that:
After the user is authenticated, add that user's identity token to the
logins map in the credentials provider. The provider name will depend
on your Amazon Cognito Identity user pool ID. It will have the
following structure: cognito-idp..amazonaws.com/
Then it offers the following IOS SDK snippet:
AWSCognitoIdentityUserPool *pool = [[AWSCognitoIdentityUserPoolalloc] initWithClientId:#"YOUR_CLIENT_ID"clientSecret:#"YOUR_CLIENT_SECRET"poolId:#"YOUR_USER_POOL_ID"];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvideralloc] initWithRegionType:AWSRegionUSEast1identityPoolId:#"IDENTITY_POOL_ID"identityProviderManager:pool];
But from my understanding, there isn't any logins map added in the credentials provider in this piece of code. If you would look at the JavaScript and Java version you will see that this is set explicitly. After some digging around I also found a method for the IOS-SDK, namely a setLogins method, however this method is deprecated. Based on the documentation it would make sense that I could initiated it as follows:
[self.credentialsProvider setLogins:#{#"cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>": #"id_token"}];
However, this results in a depreciation warning.:
setLogins is deprecated. Use 'AWSIdentityProviderManager' to provide a valid logins dictionary to the credentials provider
The AWSIdentityProviderManager protocol does seem to offer a logins method, however this is not documented.
So my question is: how could I add my logins map in my credentials provider?
You do not add the logins dictionary to the credentials provider. AWSIdentityProviderManager defines the following method:
- (AWSTask<NSDictionary<NSString *, NSString *> *> *)logins;
It asynchronously supplies the logins dictionary to the credentials provider, and AWSCognitoIdentityUserPool conforms to AWSIdentityProviderManager. So, the code snippet is all you need. If you are experiencing an issue, it is not related to the logins dictionary.
I am trying to create a sample iOS application for listing S3 bucket after login from facebook using amazon cognito. unfortunately I can not found any examples in swift for cognito authentication through facebook. The one provided in the example doesn’t take care of the authentication part.
Can anybody provide sample code for this.
So bad that amazon is not even providing a good example in swift covering major services.
// Set the AWS credentials provider to use Facebook's auth token
let credentialProvider = AWSCognitoCredentialsProvider(
regionType: CognitoRegionType,
identityPoolId: CognitoIdentityPoolId)
let logins: NSDictionary = NSDictionary(dictionary:
["graph.facebook.com" : self.fbToken])
credentialProvider.logins = logins as [NSObject : AnyObject]
credentialProvider.refresh()
let configuration = AWSServiceConfiguration(
region: DefaultServiceRegionType,
credentialsProvider: credentialProvider)
AWSServiceManager.defaultServiceManager().defaultServiceConfiguration = configuration
Where self.fbToken is the Facebook token, and CognitoRegionType, CognitoIdentityPoolId, and DefaultServiceRegionType are all defined constants.
There is one Swift example in the AWS iOS samples repository at this time, but it is for demonstrating SNS. It doesn't show S3 or Facebook Login, but it does show Cognito.
https://github.com/awslabs/aws-sdk-ios-samples/tree/master/SNS-MobileAnalytics-Sample/Swift/