By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Authenticating IAM Identity User from external application

1

AWS Newbie here. Details:

  • Existing external .NET MVC application hosted on company server
  • New AWS Cognito User Pool
  • New IAM Identity Center Use with permission to execute admin Cognito methods, like AdminCreateUserAsync
  • Installed: AWS SDK packages (CognitoIdentity, CognitoIdentityProvider, Core, SecurityToken, SSO, SSOOIDC), AWS CLI
  • Configured via AWS CLI: Default Profile in .aws config file using Identity Center user programmatic access data from user above

After logging in via AWS CLI and getting an active session, was able to execute from the MVC app running locally in Visual Studio Cognito calls like AdminCreateUserAsync.

My question: How do I deploy that code so that acquiring that user session and executing those Cognito admin methods occurs without AWS CLI command line action. In other words, how is this all done programmatically?

Is it possible? Is there some other mechanism entirely for doing what I want? I have been lost in the wormhole of documentation and my head is about to explode.

Thanks so much.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS ConfigAmazon CognitoAWS IAM Identity Center
Language
English
rex
asked 3 months ago219 views
1 Answer
2

To deploy your .NET MVC application with AWS Cognito integration, while ensuring security best practices and avoiding manual AWS CLI interactions, you can consider the following approach:

Use of IAM Roles and AWS Security Token Service (STS): You can utilize IAM roles for your application, especially when deploying on AWS infrastructure such as ECs, EC2 or Elastic Beanstalk. These roles provide the necessary permissions to your application to interact with AWS services. AWS STS can be used to assume roles and manage temporary credentials for accessing AWS services securely.

AWS SDK for .NET Configuration: Configure your application to use the AmazonCognitoIdentityProviderClient class from the AWS SDK for .NET. Ensure that the application, when deployed, assumes an IAM role with the necessary permissions to call AWS Cognito methods like AdminCreateUserAsync.

Secure Storage of Sensitive Data: Avoid embedding credentials in your application. Use AWS Systems Manager Parameter Store or AWS Secrets Manager to securely store and manage credentials and configuration data. Your application can retrieve these at runtime.

Environment Configuration: Ensure the server or cloud environment where your application is deployed has the necessary IAM role attached with the correct policies. Verify network access to AWS services from this environment.

Automated Credential Management: By using IAM roles and STS, your application automatically gets temporary credentials, eliminating the need for manual credential management or AWS CLI interaction.

These are a few practices that you can follow to ensure a secure access to AWS services, adhering to best practices for IAM roles and credential management, and eliminating the need for manual CLI-based session management.

profile pictureAWS
Lechu
answered 3 months ago
  • rex
    3 months ago

    Thank you for your detailed response. Much appreciated. I need to dive into IAM Roles and STS so I can "Ensure that the application, when deployed, assumes an IAM role". Let me explore that and I will be back to accept your answer. Thanks again!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content