AWS Mobile Blog

Simplify Web Identity Federation Setup with AWS CloudFormation

by Rachit Dhall | on | in S3 | Permalink | Comments |  Share

Simplify Web Identity Federation Setup with AWS CloudFormation

In a previous post, we discussed web identity federation and its use in enabling social login for access to AWS resources associated with a developer’s AWS account. The sample Personal File Store application uses web identity federation allowing users to store data in Amazon S3. In this post, we show you how to use AWS CloudFormation to simplify the configuration and maintenance of resources required for the sample application. If you are not familiar with web identity federation or the Personal File Store application, please refer back to our previous post as this post assumes you are already familiar with these technologies.

Creating a stack

  1. From the AWS CloudFormation console, click the Create Stack or the Create New Stack button.

    You can customize the template for other use cases.

  2. On the next screen, choose a meaningful name for your stack. In the Template section select the Upload Template File option. Browse and select the template present as a part of the S3 Personal File Store project. Click Next Step.

  3. The next screen lists four parameters. Let’s go over each of the parameters.

    • S3 Bucket Name: The name of the S3 bucket to be created to store the data.
    • Amazon App Id: The App Id of your application obtained after you have registered your application with Login With Amazon. Follow the steps in this ReadMe file on how to get an Amazon App Id.
    • Facebook App Id: The App Id of your application obtained when you create your application on Facebook. Follow the steps in this ReadMe file on how to get a Facebook App Id.
    • Google Client Id: The Client Id of the application obtained when you create a new Client Id at Google Console. Follow the steps in this ReadMe file on how to get a Google Client Id. Click Next Step.

      Note: Successfully creating the resources stack requires you to specify the S3 bucket name and at least one of the three identity providers’ App Ids.
       
  4. On the Options page, click Next Step.

  5. On the Review page, click Create.

  6. CloudFormation creates all the resources necessary for the application. You can see the final status of the stack in the Status column.

  7. If the stack is created successfully, the following resources are created:

    • S3 bucket with the name specified earlier.
    • One user role is created for each identity provider whose App Id was provided.
    • Each role is configured with a custom policy to access objects in Amazon S3 in its own folder. For more details about this app and policy, please refer to this article. You can see the resources created in the Resources tab. If you do not see any resources in the Resources tab, refer to step 9.
  8. To get the user role ARN for each identity provider, click the Outputs tab . This ARN will be used to run the S3 Personal File Store app.

  9. If there is a logical error such that you failed to provide the minimum necessary information, the stack might be created but no resources will be created. The output tab in this case will give an error message as an output.

Adding an Identity Provider

At some point, you might want to add another identity provider. The CloudFormation update stack feature is useful for this scenario.

  1. Go to the AWS CloudFormation console, select the stack you want to update, and click Update Stack.

  2. In the template section, select the Upload Template File option. Browse and select the template present as a part of the S3 Personal File Store project. Click Next Step.

  3. The next screen lists four parameters. Add the App Id (for Amazon or Facebook) or Client Id for Google. Here we add the Facebook App Id. Click Next Step.

    Note: Stack updating requires you to specify the S3 bucket name and at least one of the three identity providers’ App Ids.

  4. An update policy is not required for this use case. On the Policy screen, click Next Step.

  5. On the Review screen, click Update.

  6. CloudFormation updates all the resources necessary for the application. You can see the final status of the stack in the Status column.

  7. If the stack update is successful, you can see the list of resources in the Resources tab. FBPersonalStoreUserRole is created in addition to the existing two roles. If you do not see any resources in the Resources tab, refer to step 9.

  8. To get the user role ARN for the identity provider you added, click the Outputs tab. This ARN will be used to run the S3 Personal File Store app.

  9. If there is a logical error such that you failed to provide the minimum necessary information, the stack might be created but no resources will be created. The output tab in this case will give an error message as an output.

Deleting an Identity Provider

At some point, you might want to remove the support for an identity provider. The CloudFormation update stack feature is useful for this scenario.

  1. Go to the AWS CloudFormation console, select the stack you want to update, and click Update Stack.

  2. In the template section select the Upload Template File option. Browse and select the template present as a part of the S3 Personal File Store project. Click Next Step.

  3. The next screen lists four parameters. Delete the App Id (for Amazon or Facebook) or Client Id for Google. We delete the Facebook App Id. Click Next Step.

    Warning: Stack updating requires you to specify the S3 bucket name and at least one of the three identity providers’ App Ids. If you remove the S3 bucket name or all the three App Ids, the update will delete all the resources and the output will be an error. Stack resources once deleted cannot be recovered to the same state.

  4. An update policy is not required for this use case. On the Policy screen, click Next Step.

  5. On the Review screen, click Update.

  6. CloudFormation updates all the resources necessary for the application. You can see the final status of the stack in the Status column.

  7. If the stack update is successful, you can see the list of resources in the Resources tab. The user role named FBPersonalStoreUserRole is deleted. If you do not see any resources in the Resources tab, refer to step 9.

  8. Click the Outputs tab. Note that FacebookUserRoleARN no longer appears in the output.

  9. If there is a logical error such that you failed to provide the minimum necessary information, the stack might be created but no resources will be created. The output tab in this case will give an error message as an output.

Deleting the Stack

Select the stack and click the Delete Stack button. This will delete all the resources associated with the stack.

Conclusion

AWS CloudFormation simplifies integrating web identity federation into your app. With the update feature you can always add or remove support for identity providers for the same set of resources. We hope this article helps you automate the configuration process and allows you to spend more time coding great apps. Feel free to post your suggestions or new feature/blog requests here in the comments or in our forum.