AWS Gov Cloud application load balancer authenticate rule with Cognito
In AWS' commercial cloud (us-west-2), I can create an ALB listener rule on my HTTPS (443) listener to first authenticate to a Cognito user pool (with OIDC integration Azure AD) and then forward to an Ec2 instance after successful authentication.
I try the same things in gov cloud (gov-west-1), and there is no option to Authenticate in a Load Balance listener rule with Cognito, only pure OIDC authentication.
Does this feature exist in Gov cloud?
I'm specifically discussing the attached "insert rule" UI shown in the image. In my gov cloud account (gov-west-2), "Amazon Cognito" is not an option in the "1. Authentucate" dropdown. The only option that exists is "OIDC"
This feature is sadly not yet available in GovCloud (see this doc on govcloud-differences), but you can get around this by setting up an OIDC auth action directed to your Cognito User Pool (which is able to act as a standard OIDC provider).
This auth action requires you to provide OIDC endpoints which are described for AWS Cognito at the following docs page: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html
This does require you to set up a User Pool App Client, configured with a Client Secret, as well as a User Pool Domain.
Lastly, make sure to configure your CallbackURLs for the Cognito Client to allow redirects back to the /oauth2/idpresponse endpoint on your Load Balancer; e.g. for a Load Balancer at <DNS>, use CallbackURL: https://DNS/oauth2/idpresponse.
When you configure the auth action, you will need to supply the following details:
- Authenticate:
OIDC - Issuer:
https://cognito-idp.us-gov-west-1.amazonaws.com/us-gov-west-1_abc123 - Authorization endpoint:
https://my-cognito-domain.auth-fips.us-gov-west-1.amazoncognito.com/oauth2/authorize - Token endpoint:
https://my-cognito-domain.auth-fips.us-gov-west-1.amazoncognito.com/oauth2/token - User info endpoint:
https://my-cognito-domain.auth-fips.us-gov-west-1.amazoncognito.com/oauth2/userInfo - Client ID:
abcdef123456 - Client secret:
hunter7
Sample CloudFormation snippet follows:
Parameters:
SessionTimeout:
Description: The maximum duration of the authentication session, in seconds.
Type: Number
Default: 604800 # One day
MinValue: 60
MaxValue: 604800
CognitoClientID:
Description: Client ID from pre-configured cognito environment
Type: String
NoEcho: true
CognitoClientSecret:
Description: Client Secret from pre-configured cognito environment
Type: String
NoEcho: true
CognitoProviderUrl:
Description: Provider URL from pre-configured cognito environment
Type: String
CognitoDomainName:
Description: Domain Name from pre-configured cognito environment
Type: String
TargetGroupArn:
Description: ARN of the Target Group for forwarding traffic
Type: String
Conditions:
IsGovCloud: !Not [!Equals ['aws', !Ref AWS::Partition]]
Resources:
AuthenticatedListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- Type: authenticate-oidc
Order: 1
AuthenticateOidcConfig:
ClientId: !Ref CognitoClientID
ClientSecret: !Ref CognitoClientSecret
Issuer: !Ref CognitoProviderUrl
UserInfoEndpoint:
Fn::Sub:
- https://${CognitoDomainName}.${AuthSuffix}.${AWS::Region}.amazoncognito.com/oauth2/userInfo
- AuthSuffix: !If [IsGovCloud, "auth-fips", "auth"]
AuthorizationEndpoint:
Fn::Sub:
- https://${CognitoDomainName}.${AuthSuffix}.${AWS::Region}.amazoncognito.com/oauth2/authorize
- AuthSuffix: !If [IsGovCloud, "auth-fips", "auth"]
TokenEndpoint:
Fn::Sub:
- https://${CognitoDomainName}.${AuthSuffix}.${AWS::Region}.amazoncognito.com/oauth2/token
- AuthSuffix: !If [IsGovCloud, "auth-fips", "auth"]
OnUnauthenticatedRequest: authenticate
Scope: openid
SessionTimeout: !Ref SessionTimeout
- Type: forward
Order: 2
TargetGroupArn:
Ref: TargetGroup
Best of luck and let's hope for expanded GovCloud features soon
- What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster?
- Reporting AWS Tools RDS or Redshift?
- Configure Selenium Nodes without a JSON file
- How to bypass expectation of S3 server 100-contiune response in Boto3 put_object method
- Deleting Perforce depot from AWS EC2 server does not free up space on EC2
- Middy is not getting a secret from Secret Manager in a NodeJS AWS Lambda
- Can I include a display name when sending email from the AWS SES Javascript v3 SDK?
- Is it possible to add fields to struct in an existing AWS Athena table?
- AWS SNS - Message missing a phone number
- How to run a one-off task on AWS ECS Fargate?
- AWS FIFO queues subscription with SNS: passing message group id
- AWS CLI to get all matching CloudFronts using the "--query" option?
- What is the best way to read a csv and text file from S3 on AWS glue without having to read it as a Dynamic daataframe?
- Why is CloudFormation saying AlreadyExists when creating a AWS::ApiGateway::Authorizer
- AWS sts assume role in one command
- GetSecretValue, get identity: get credentials: failed to refresh cached credentials
- Does PutACLAsync make a copy of an object?
- How to use AWS CodeArtifact *within* A Dockerfile in AWSCodeBuild
- AWS CodeBuild: Accessing CodeCommit repository in another account?
- AWS Java SDK SSL Certificates
- How can I use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to perform actions in AWS through a Jenkins pipeline?
- Syntax error when executing Invoke-DDBQuery to fetch dynamodb record using Powershell
- How can I delete a specific record from my AWS Glue table?
- Start cfn-init in Ubuntu instance with cloudformation (yaml)
- How to check ephemeral storage that is allocated to EKS node
- Permission Error Running Container in AWS CodeBuild
- retrieve list of urls from Amazon S3 bucket using R
- New volume in ec2 instance not reflecting
- How to allocate GPUs on AWS Free Tier?
- Get source repo commit hash in AWS code build step