Pinpoint APNS Channel in Cloudformation

0

Hi,

I am trying to set up a Pinpoint Application with Cloudformation.

Application and GCM channel setup is going fine, however there is a problem with the APNS channel. I have a certificate in a .p12 file which I can use at the console, and i converted that to a pem file to be able to get the certificate in text format. Using the .p12 file, I succesfully created the channel int he console. However when i try to create the channel in Cloudformation, it fails with the message:

Missing credentials (Service: AmazonPinpoint; Status Code: 400; Error Code: BadRequestException; Request ID: 0f17c5a3-c7f2-11e9-951b-e99faef7eabb)

The CloudFormation template looks like:

AWSTemplateFormatVersion: 2010-09-09
Description: Pinpont Test Stack
Parameters:
APNSCert:
Description: APNS Certificate
Type: String

Resources:
PinpointApplication:
Type: AWS::Pinpoint::App
Properties:
Name: !Sub '${AWS::StackName}-PinpointApplication'

PinpointAPNSChannel:
Type: AWS::Pinpoint::APNSChannel
Properties:
Certificate: !Ref APNSCert
ApplicationId: !Ref PinpointApplication
DefaultAuthenticationMethod: CERTIFICATE
Enabled: True

When i create the stack, I pass the certificate string to the Parameter, starting with: -----BEGIN CERTIFICATE-----, ending with: -----END CERTIFICATE-----

What am I doing wrong?

MartonP
asked 3 years ago83 views
3 Answers
0

After some more tries, I succeeded, so in case anyone else find this forum, here's what I did.

First, issue the following command on the certificate p12 file:

openssl pkcs12 -in certificate.p12 -nodes -clcerts

You might be prompted to provide a password.

Now, you will see the certificate and the private key in the console as text. You can paste it to the Cloudformation template as:

AWSTemplateFormatVersion: 2010-09-09
Description: Test Stack.

Resources:
PinpointApplication:
Type: AWS::Pinpoint::App
Properties:
Name: !Sub '${AWS::StackName}-PinpointApplication'

PinpointAPNSChannel:
Type: AWS::Pinpoint::APNSChannel
Properties:
Certificate: |
-----BEGIN CERTIFICATE-----
Certificate text
Be careful with tabbing
-----END CERTIFICATE-----
PrivateKey: |
-----BEGIN PRIVATE KEY-----
Private key text
Be careful with tabbing
-----END PRIVATE KEY-----
ApplicationId: !Ref PinpointApplication
DefaultAuthenticationMethod: CERTIFICATE
Enabled: True

It also looks like the console removes the newlines from the strings if passed as parameters, so it does not work that way.

MartonP
answered 3 years ago
0

This VERY nearly worked for me also since the p12 would not load via console. AWS have taken har file from an attempt so hopefully the console will be fixed one day.

Regardless of cert upload we do everything via cloudformation and no matter what I did could not get the certs and private key uploaded.

Support Tech advised the following format. I hope this helps someone else save a few hours of banging head against lack of AWS Documentation.

The format of the certs seem to require the \n in the locations below for it to accept
"-----BEGIN CERTIFICATE-----\n{{certContents}}\n-----END CERTIFICATE-----\n"
"-----BEGIN PRIVATE KEY-----\n{{certContents}}\n-----END PRIVATE KEY-----\n"

Then you need to be aware that if you take these strings and put them in something like SecretsManager then it seems to add an extra \ to the \n so the cloudformation then fails as the certs is invalid format.

You can edit the secret in plaintext to see the extra \

Cheers

answered 3 years ago
0

this solution will works 100% and tested

Certificate & PrivateKey can be generated by command line using .p12 file (e.g. openssl pkcs12 -in Dev_Push_Certificate.p12 -nodes -clcerts)

Below cloudformation template can help us to setup & enable AWS PinPoint push notification, FCM enable and APNS push notification enable. It's taking input parameter based value for FCM, APNS Certificate and APNS PrivateKey which can be setup through AWS Console

{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "FCMKey": { "Type": "String", "Description": "FCMKey" }, "Certificate": { "Type": "String", "Description": "Certificate" }, "PrivateKey": { "Type": "String", "Description": "PrivateKey" } }, "Resources": { "PinPoint": { "Type": "AWS::Pinpoint::App", "Properties": { "Name": "test" } }, "GCMChannel": { "Type": "AWS::Pinpoint::GCMChannel", "Properties": { "ApiKey": null, "ApplicationId": null, "Enabled": true } }, "APNSSandboxChannel": { "Type": "AWS::Pinpoint::APNSSandboxChannel", "Properties": { "ApplicationId": null, "Certificate": { "Fn::Join": [ "", "- "-----BEGIN CERTIFICATE-----\n"\n- !Ref 'Certificate'\n- "\n-----END CERTIFICATE-----"" ] }, "DefaultAuthenticationMethod": "CERTIFICATE", "Enabled": true, "PrivateKey": { "Fn::Join": [ "", "- "-----BEGIN PRIVATE KEY-----\n"\n- !Ref 'PrivateKey'\n- "\n-----END PRIVATE KEY-----"" ] } } } } }

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions