npm - @itentialopensource/adapter-aws_cognito_identity_provider - Versions diffs - 0.1.1 → 0.1.3 - Mend

@itentialopensource/adapter-aws_cognito_identity_provider 0.1.1 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/AUTH.md +25 -4
package/CHANGELOG.md +16 -1
package/adapter.js +101 -101
package/package.json +2 -2
package/propertiesSchema.json +142 -45
package/refs?service=git-upload-pack +0 -0
package/report/adapterInfo.json +2 -2
package/sampleProperties.json +43 -31

package/AUTH.md CHANGED Viewed

@@ -3,7 +3,7 @@
 This document will go through the steps for authenticating the AWS Cognito Identity Provider adapter with AWS Signature 4 Authentication. Properly configuring the properties for an adapter in IAP is critical for getting the adapter online. You can read more about adapter authentication <a href="https://docs.itential.com/opensource/docs/authentication" target="_blank">HERE</a>.
 ### AWS Authentication
-The AWS Cognito Identity Provider adapter requires AWS Authentication therefore the `auth_method` should be set to `aws_authentication`. The adapter utilizes AWS signature 4 authentication. There are three mechanisms for doing this.
+The AWS Cognito Identity Provider adapter requires AWS Authentication therefore the `auth_method` should be set to `aws_authentication`. The adapter utilizes AWS signature 4 authentication. There are three mechanisms for doing this. There is a brief description in this section and more information in the specific section for each authentication.
 The first way is using a "service" account and its AWS keys to authenticate as that account. In this case, you will get the aws_access_key, aws_secret_key, and aws_session_token from AWS and configure them into the adapter service instance as shown below.
@@ -14,7 +14,9 @@ The third authentication method is to use an IAM role. With this method, you do
 If you change authentication methods, you should change this section accordingly and merge it back into the adapter repository.
 ### AWS Signature 4 Service Account Authentication
-The AWS Cognito Identity Provider adapter requires AWS Signature 4 Authentication. If you change authentication methods, you should change this section accordingly and merge it back into the adapter repository.
+This can also be referred to as standard credential signing using an Adapter Role or Pod Role.
+Provide access key and secret key in adapter service instance configuration (Adapter Role). Those credentials are used to sign all calls. If no access key and/or secret key are provided, it will use AWS Environment variables (which in Saas is the Pod Role) to sign all calls. If this role has no permission to make the call, the call will fail with authentication issues.
 STEPS
 1. Ensure you have access to a AWS Cognito Identity Provider server and that it is running
@@ -32,7 +34,12 @@ you can leave all of the other properties in the authentication section, they wi
 4. Restart the adapter. If your properties were set correctly, the adapter should go online.
 ### AWS Security Token Service
-The AWS Cognito Identity Provider adapter also supports AWS Security Token Service (STS) Authentication. For using this authentication, you need to use the calls in the Adapter that have the STSRole suffix on them and pass the STS information into the method. You will still need to provide the relevant `aws_secret_key` and `aws_access_key` as described above. Below is an example of the data required in the `sts` tasks:
+The AWS Cognito Identity Provider adapter also supports AWS Security Token Service (STS) Authentication. This can also be referred to as standard credential but then STS assume role based on STS Params on Task.
+Adapter Role => Task Role(s) or Pod Role => Task Role(s).
+Provide access key and secret key in adapter service instance configuration (Adapter Role). Will use these credentials on the assume role request to assume a different role defined in the STSParams on the task (Task Role). The Task Role will then be used to sign the call to AWS. The Adapter Role has to have the right to assume the Task Role or the call will fail. If no access key and/or secret key are provided, it will use AWS Environment variables (which is Saas is the Pod Role) to attempt the assume a different role defined in the STSParams on the task (Task Role). The Task Role will then be used to sign the call to AWS. The Pod Role has to have the right to assume the Task Role or the call will fail.
+ For using this authentication, you need to use the calls in the Adapter that have the STSRole suffix on them and pass the STS information into the method. You will still need to provide the relevant `aws_secret_key` and `aws_access_key` as described above. Below is an example of the data required in the `sts` tasks:
 ```json
 {
@@ -47,12 +54,15 @@ The proxy field should point to the AWS loadbalancer or a proxy server that forw
 Region can be important as it is the region in which the STS assume role request will be processed. Each AWS partition may have one primary region for STS. In our tests, we have found that for the standard partition the STS region should be set to us-east-t but this is configurable should your primary region be different or you are working in a different AWS partition.
+If doing cross organizational role assumption it is recommended to have an external id that is agreed upon for further security. THis external id can be provided in the aws_sts properties (global) or defined in the STS Params object on the task (dynamic).
 ```json
 "authentication": {
   "aws_sts": {
     "region": "us-east-1",
     "endpoint": "<sts certificate endpoint>",
     "proxy": "<proxy/loadbalancer ip>",
+    "externalId": "<sts external id>"
   }
 }
 ```
@@ -60,6 +70,17 @@ Region can be important as it is the region in which the STS assume role request
 ### AWS IAM Role
 The AWS Cognito Identity Provider adapter also supports AWS IAM Role Authentication. For using this authentication, you need to use the calls in the Adapter that have the STSRole suffix on them and provide the role's ARN in the RoleName variable. In addition to passing the IAM Role in the task, it is possible to set an IAM Role in the Service Instance Configuration by using the `aws_iam_role` property in the authentication section and providing the role's ARN.
+This can also be referred to as role signing scenarios - need to have either a Task Role (roleName) and/or Adapter Role (aws_iam_role) to use ay of these scenarios.
+Scenarios:
+- IAM to internal AWS Server - either Task Role (roleName) or Adapter Role (aws_iam_role)
+- Adapter Role (aws_iam_role) assumes Task Role (STSParams or roleName)
+  - IAM to internal AWS Server for Adapter Role
+  - AWS STS for assuming Task Role(s) using Adapter Role
+- Pod Role assumes Adapter Role (aws_iam_role) assumes Task Role (STSParams, RoleName)
+  - AWS STS for assuming Adapter Role using AWS Environment (Pod Role)
+  - AWS STS for assuming Task Role(s) using Adapter Role
 ```json
 "authentication": {
   "auth_method": "aws_authentication",
@@ -83,7 +104,7 @@ Create a new role and attach to it policies:
 - Create a role:
 ```text
 Trusted entity type: AWS service
-Use Case: cognito-idp
+Use Case: Cognito Identity Provider
 ```
 Add desired policies to the role.

package/CHANGELOG.md CHANGED Viewed

@@ -1,4 +1,20 @@
+## 0.1.3 [11-17-2024]
+* fix targets - were missing .
+See merge request itentialopensource/adapters/adapter-aws_cognito_identity_provider!3
+---
+## 0.1.2 [11-11-2024]
+* more auth changes
+See merge request itentialopensource/adapters/adapter-aws_cognito_identity_provider!2
+---
 ## 0.1.1 [11-04-2024]
 * initial commits
@@ -6,4 +22,3 @@
 See merge request itentialopensource/adapters/adapter-aws_cognito_identity_provider!1
 ---