How do I integrate AWS Cognito with AppRunner?
In this guide, we will integrate AWS Cognito with AWS AppRunner using Pulumi. AWS Cognito provides authentication, authorization, and user management for your web and mobile apps. AWS AppRunner is a fully managed service that makes it easy to deploy containerized web applications and APIs at scale.
We will create a Cognito User Pool, a Cognito Identity Pool, and an AppRunner service that uses these Cognito services for authentication.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create a Cognito User Pool
const userPool = new aws.cognito.UserPool("userPool", {
name: "example-user-pool",
});
// Create a Cognito User Pool Client
const userPoolClient = new aws.cognito.UserPoolClient("userPoolClient", {
userPoolId: userPool.id,
generateSecret: false,
allowedOauthFlows: ["code"],
allowedOauthScopes: ["openid", "profile", "email"],
callbackUrls: ["https://example.com/callback"],
logoutUrls: ["https://example.com/logout"],
});
// Create a Cognito Identity Pool
const identityPool = new aws.cognito.IdentityPool("identityPool", {
identityPoolName: "example-identity-pool",
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: [{
clientId: userPoolClient.id,
providerName: userPool.endpoint,
}],
});
// Create an IAM role for the Identity Pool
const identityPoolRole = new aws.iam.Role("identityPoolRole", {
assumeRolePolicy: identityPool.arn.apply(arn => JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
Federated: "cognito-identity.amazonaws.com",
},
Action: "sts:AssumeRoleWithWebIdentity",
Condition: {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": arn,
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated",
},
},
}],
})),
});
// Attach a policy to the role
const identityPoolRolePolicy = new aws.iam.RolePolicy("identityPoolRolePolicy", {
role: identityPoolRole.id,
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: ["mobileanalytics:PutEvents", "cognito-sync:*", "cognito-identity:*"],
Resource: ["*"],
}],
}),
});
// Create an AppRunner Service
const appRunnerService = new aws.apprunner.Service("appRunnerService", {
serviceName: "example-app-runner-service",
sourceConfiguration: {
authenticationConfiguration: {
connectionArn: identityPoolRole.arn,
},
imageRepository: {
imageIdentifier: "public.ecr.aws/aws-containers/hello-app-runner:latest",
imageRepositoryType: "ECR_PUBLIC",
},
},
});
export const appRunnerServiceUrl = appRunnerService.serviceUrl;
Key Points
- We created a Cognito User Pool and User Pool Client to manage user authentication.
- We created a Cognito Identity Pool to allow authenticated users to access AWS resources.
- An IAM role was created and associated with the Identity Pool to grant necessary permissions.
- An AppRunner service was set up to use the Cognito Identity Pool for authentication.
Summary
In this guide, we successfully integrated AWS Cognito with AWS AppRunner using Pulumi. This setup allows secure authentication and authorization for your AppRunner applications using Cognito.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.