This is an Amazon API Gateway to DynamoDB integration with Amazon Cognito as authorizer project for Python development with CDK.
The cdk.json file tells the CDK Toolkit how to execute your app.
This project is set up like a standard Python project. The initialization
process also creates a virtualenv within this project, stored under the .venv
directory. To create the virtualenv it assumes that there is a python3
(or python for Windows) executable in your path with access to the venv
package. If for any reason the automatic creation of the virtualenv fails,
you can create the virtualenv manually.
To manually create a virtualenv on MacOS and Linux:
$ python3 -m venv .venv
After the init process completes and the virtualenv is created, you can use the following step to activate your virtualenv.
$ source .venv/bin/activate
If you are a Windows platform, you would activate the virtualenv like this:
% .venv\Scripts\activate.bat
Once the virtualenv is activated, you can install the required dependencies.
(.venv) $ pip install -r requirements.txt
At this point you can now synthesize the CloudFormation template for this code.
(.venv) $ export CDK_DEFAULT_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
(.venv) $ export CDK_DEFAULT_REGION=$(aws configure get region)
(.venv) $ cdk synth --all
Use cdk deploy command to create the stack shown above,
(.venv) $ cdk deploy --require-approval never --all
To add additional dependencies, for example other CDK libraries, just add
them to your setup.py file and rerun the pip install -r requirements.txt
command.
- Comments: store comments for each page of your website.
{ "TableName": "Comments", "KeySchema": [ { "AttributeName": "commentId", "KeyType": "HASH" } ], "AttributeDefinitions": [ { "AttributeName": "commentId", "AttributeType": "S" }, { "AttributeName": "pageId", "AttributeType": "S" } ], "GlobalSecondaryIndexes": [ { "IndexName": "pageId-index", "KeySchema": [ { "AttributeName": "pageId", "KeyType": "HASH" } ], "Projection": { "ProjectionType": "ALL" } } ] }
-
Post Comments
Resource: /comments HTTP Method: POST HTTP Request Body: { "pageId": "example-page-id", "userName": "ExampleUserName", "message": "This is an example comment to be added." } -
Get Comments
Resource: /comments/{pageId} HTTP Method: GET
Let's test if our lambda function is protected by the authorizer. In order to test the flow we have to:
-
Register a Cognito User, using the aws cli
aws cognito-idp sign-up \ --client-id your-user-pool-client-id \ --username "[email protected]" \ --password "user-password"
Note: You can find
UserPoolClientIdwith the following command:aws cloudformation describe-stacks --stack-name your-cloudformation-stack-name | jq -r '.Stacks[0].Outputs | map(select(.OutputKey == "UserPoolClientId")) | .[0].OutputValue'
-
Confirm the user, so they can log in:
aws cognito-idp admin-confirm-sign-up \ --user-pool-id your-user-pool-id \ --username "[email protected]"
At this point if you look at your cognito user pool, you would see that the user is confirmed and ready to log in:
Note: You can find
UserPoolIdwith the following command:aws cloudformation describe-stacks --stack-name your-cloudformation-stack-name | jq -r '.Stacks[0].Outputs | map(select(.OutputKey == "UserPoolId")) | .[0].OutputValue'
-
Log the user in to get an identity JWT token
aws cognito-idp initiate-auth \ --auth-flow USER_PASSWORD_AUTH \ --auth-parameters USERNAME="[email protected]",PASSWORD="user-password" \ --client-id your-user-pool-client-id
-
Hit our Api to test the Authorizer; use the token to invoke our API endpoint which will call the function (if the token is valid)
-
First we will put a record into DynamoDB, for example such as:
{ "pageId": "breaking-news-story-01-18-2016", "userName": "Just Saying Thank You", "message": "I really enjoyed this story!!" } -
Run post comments api like this:
MY_ID_TOKEN=$(aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME="[email protected]",PASSWORD="user-password" --client-id your-user-pool-client-id | jq -r '.AuthenticationResult.IdToken') curl -L -X POST 'your-api-url/comments/' --header "Authorization: ${MY_ID_TOKEN}" \ -d '{"pageId":"breaking-news-story-01-18-2016", "userName":"Just Saying Thank You", "message":"I really enjoyed this story!!"}' \ -H 'Content-Type: application/json'
The response is:
{}Navigate to the DynamoDB console and view the
Commentstable to show that the request really was successfully processed. -
Now let's try to retrieve data from our DynamoDB:
MY_ID_TOKEN=$(aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME="[email protected]",PASSWORD="user-password" --client-id your-user-pool-client-id | jq -r '.AuthenticationResult.IdToken') curl -L -X GET 'your-api-url/comments/breaking-news-story-01-18-2016' --header "Authorization: ${MY_ID_TOKEN}"
The response is:
{ "comments": [ { "commentId": "d4e373b5-9977-45e9-8855-ecacd160c108", "userName": "Just Saying Thank You", "message": "I really enjoyed this story!!" } ] } -
Note: You can find your-api-url with the following command:
aws cloudformation describe-stacks --stack-name your-cloudformation-stack-name | jq -r '.Stacks[0].Outputs | map(select(.ExportName == "ApiGatewayRestApiEndpoint")) | .[0].OutputValue'
Delete the CloudFormation stack by running the below command.
(.venv) $ cdk destroy --force --all
cdk lslist all stacks in the appcdk synthemits the synthesized CloudFormation templatecdk deploydeploy this stack to your default AWS account/regioncdk diffcompare deployed stack with current statecdk docsopen CDK documentation
Enjoy!