1. Answers
  2. Using aws cloudfront with cognito

How do I use AWS CloudFront with Cognito?

To set up AWS CloudFront with Amazon Cognito for authentication, we will create a CloudFront distribution and use Cognito to manage user authentication. This setup allows you to serve content securely and leverage Cognito for user management and authentication.

Here’s a step-by-step guide:

  1. Create a Cognito User Pool: This will manage your users.
  2. Create a Cognito Identity Pool: This allows federated identities to access AWS services.
  3. Create a CloudFront Distribution: This will serve your content.

Explanation

  1. Cognito User Pool: This is a user directory in Amazon Cognito. Users can sign up and sign in to your web or mobile app through the user pool.
  2. Cognito Identity Pool: This provides temporary AWS credentials to access AWS services.
  3. CloudFront Distribution: This is a content delivery network (CDN) that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds.

Pulumi Program

Below is the Pulumi program written in TypeScript to set up AWS CloudFront with Amazon Cognito.

import * as aws from "@pulumi/aws";

// Create a Cognito User Pool
const userPool = new aws.cognito.UserPool("userPool", {
    name: "my-user-pool",
    autoVerifiedAttributes: ["email"],
    passwordPolicy: {
        minimumLength: 8,
        requireLowercase: true,
        requireNumbers: true,
        requireSymbols: true,
        requireUppercase: true,
    },
});

// Create a Cognito User Pool Client
const userPoolClient = new aws.cognito.UserPoolClient("userPoolClient", {
    userPoolId: userPool.id,
    generateSecret: false,
    allowedOauthFlows: ["code"],
    allowedOauthScopes: ["email", "openid", "profile"],
    callbackUrls: ["https://example.com/callback"],
    logoutUrls: ["https://example.com/logout"],
});

// Create a Cognito Identity Pool
const identityPool = new aws.cognito.IdentityPool("identityPool", {
    identityPoolName: "my-identity-pool",
    allowUnauthenticatedIdentities: false,
    cognitoIdentityProviders: [{
        clientId: userPoolClient.id,
        providerName: userPool.endpoint,
    }],
});

// Create a CloudFront Distribution
const originAccessIdentity = new aws.cloudfront.OriginAccessIdentity("originAccessIdentity", {
    comment: "Access Identity for S3 bucket",
});

const cloudFrontDistribution = new aws.cloudfront.Distribution("cloudFrontDistribution", {
    enabled: true,
    origins: [{
        originId: "myS3Origin",
        domainName: "my-bucket.s3.amazonaws.com",
        s3OriginConfig: {
            originAccessIdentity: originAccessIdentity.cloudfrontAccessIdentityPath,
        },
    }],
    defaultCacheBehavior: {
        targetOriginId: "myS3Origin",
        viewerProtocolPolicy: "redirect-to-https",
        allowedMethods: ["GET", "HEAD", "OPTIONS"],
        cachedMethods: ["GET", "HEAD"],
        forwardedValues: {
            queryString: false,
            cookies: {
                forward: "none",
            },
        },
    },
    viewerCertificate: {
        cloudfrontDefaultCertificate: true,
    },
    restrictions: {
        geoRestriction: {
            restrictionType: "none",
        },
    },
});

// Export the CloudFront Distribution URL
export const cloudFrontUrl = cloudFrontDistribution.domainName;

Detailed Explanation

  1. Cognito User Pool:

    • autoVerifiedAttributes: Automatically verifies user email addresses.
    • passwordPolicy: Defines the password requirements.
  2. Cognito User Pool Client:

    • generateSecret: Whether to generate a client secret.
    • allowedOauthFlows: Specifies the allowed OAuth flows.
    • callbackUrls and logoutUrls: URLs for login and logout redirection.
  3. Cognito Identity Pool:

    • allowUnauthenticatedIdentities: Specifies whether to allow unauthenticated identities.
    • cognitoIdentityProviders: Links the User Pool and User Pool Client to the Identity Pool.
  4. CloudFront Distribution:

    • originAccessIdentity: Ensures that only CloudFront can access the S3 bucket.
    • origins: Specifies the origin of the content.
    • defaultCacheBehavior: Defines how CloudFront caches content.
    • viewerCertificate: Uses the default CloudFront certificate.
    • restrictions: No geographic restrictions.

This setup will create a secure CloudFront distribution that uses Cognito for user authentication, ensuring that only authenticated users can access your content.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up