Profile picture
, 8 tweets, 2 min read
My Authors
Read all threads
AWS has been adding a lot of features to use OAuth directly with API Gateway, skipping Cognito Identity Pools and AWS IAM. I think this is regressive. A lot of useful functionality is coming out of it, but we should hope to get that IAM-side instead.
For example, using OAuth, you can define allowed scopes on a given route (resource+method). Now you've got attribute-based access control in your app. Great! Except all the excellent tooling around AWS IAM is no longer available to you.
Or, you can use a Lambda authorizer to create a policy based on the token contents. It's super flexible, you can accomplish complicated authorization scenarios. But now you own the authorization system, including all the security monitoring and operations associated with that.
The governance part is more important, but more subtle difference is that you're using a bearer token. A JWT that asserts identity but contains no proof it hasn't changed hands. With AWS IAM, SigV4 signing proves for every call that the caller has the secret access key.
Give us the right capabilities to stay in IAM. Let me turn attributes in Cognito User Pools into session tags through Cognito Identity. Let me tag API Gateway resources and methods, so I can leverage that in IAM policies. Let me compare path & query params against principal tags.
Fundamentally, give us the tools to stay with a fully managed authorization system, rather than pushing that responsibility back onto us. Authorization is hard to get right and bad to get wrong.
To clarify, an example: IAM has added capabilities like attribute-based access control through session tags. Cognito has added ABAC thru OAuth scopes. I know it's nontrivial to add session tags to Cognito. I'm arguing for putting in the effort. (thanks @hotgazpacho for feedback)
@hotgazpacho I should say, it's the combination of session tags in Cognito and tags on more resources (routes, methods, etc.) in API Gateway, and the ability to leverage those tags in policies (I guess the resourceTag set is the overlay of the various hierarchical resources involved)
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Ben Kehoe

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ben11kehoe see all

Profile picture
Ben Kehoe
@ben11kehoe
Extra excited about this now. sso:GetRoleCredentials takes account and role name parameters (weird that it's not a role ARN but whatever). This looks to me like the client is in control of what IAM principal the user will become. This is a good thing! ⏬1/9
A great enabling capability for an org is creating single page apps w/ serverless backends, and now with these APIs in JS those apps can use SSO. One of the difficulties with these apps is that there may be many copies of a given app, for dev or just in many different accts 2/9
You should be able to stand up a copy of an app, go to its front page, and log in with SSO. But most SSO flows assume well-known URLs that you give to the SSO system. But with these AWS SSO APIs/Device Flow, that's no longer a problem. 3/9
Read 10 tweets
Profile picture
Ben Kehoe
@ben11kehoe
The future of #serverless is not stateful compute. It's computeful state.
Instead of trying to shoehorn statefulness into our current stateless compute models, we should be thinking about how to bring our code closer to our data. Lambda with EBS attached is bad. Paradigms more like handing code directly to S3 to run on all your objects.
People saying “this is just stored procedures” are like the people saying “Lambda is just cgi-bin”. Sure, superficially they’ve got the same model, but the details result in very different characteristics.
Read 3 tweets
Profile picture
Ben Kehoe
@ben11kehoe
One of @awscloud's biggest weaknesses is that while product teams strive to create great experiences for their services, AWS users have to use many teams' services and there's very little accountability for the cross-AWS-team experience.
AWS is the best in the world at creating autonomous teams. We’re asking AWS to figure out how to scale their customer obsession in a way that cross-team feedback is appropriately prioritized.
We’re glad docs are in GitHub, but we want PRs to get addressed faster. We shouldn’t have to go to 90 individual teams to beg them to do that! There should be customer advocates at AWS that see what we see, and are empowered to help make it happen
Read 6 tweets

Related threads

Profile picture
Helen
@helenanders26
(1/28)

It’s time for a thread, an #AWS thread, to make sure you know your CloudFront from CloudTrail, and Athena from Aurora … with a little help from the #devcommunity

👇
(2/28)

A is for Alarm

If you are new to #AWS and are using the free tier you may want to add a #CloudWatch Billing Alarm to make sure you don't run into any unexpected charges.

Learn more about CloudWatch with @kylegalbraith

dev.to/kylegalbraith/…
@kylegalbraith (3/28)

B is for Bucket

#AWS #S3 buckets store objects, similar to files and folders on your local machine.

Learn more about S3 with @DavidOjedaL

dev.to/david_ojeda/aw…
Read 28 tweets
Profile picture
Kirk Borne
@KirkDBorne
Love the simplicity of #Serverless #FaaS (Function-as-a-Service) but hate the setup process? Look to these 7 open source projects to ease #AWS Lambda deployments: dy.si/M3VJd
———
#BigData #StreamingAnalytics #Cloud #DataScience #MachineLearning #IFTTT #EventDriven #AI
13 free tools for #API design, development, & testing — for example, Amazon API Gateway allows you to build front-end APIs for applications built on Amazon EC2, #AWS Lambda, or any web application:
dy.si/1VTf942
————
#microservices #cloud #serverless #FaaS #coding #IoT
#IFTTT alternatives for developers of #EventDriven workflows: dy.si/ZorG2N
————
#IoT #EdgeAnalytics #EdgeComputing #Microservices #DataScience #BigData #FaaS #ML
————
+See the book “AWS Lambda in Action: Event-driven #Serverless Applications” at amzn.to/2YFDSO8
Read 4 tweets
Profile picture
Ching Jui Young
@youngchingjui
Hey all, I’m doing a weekly twitter standup, mostly for myself. But if you or anyone else would like to join, feel free to ping me. I’m thinking a weekly basis won’t be too time consuming. Pick a day of the week, and I’ll @ you to remind you. #weeklytwitterstandup
Did last week:
✅ finally built script to track usage of my servers. It’s a python script uploaded to AWS lambda. The script pings my half-dozen servers for data usage and writes the data onto 1) a MySQL server hosted on AWS RDS, 2) BigQuery database, and 3) google sheets
✅ built a dashboard on server usage data using Tableau public. I now have the dashboard scrolling on my Life Flips app.
Read 31 tweets
Profile picture
ramnishkalsi
@ramnishkalsi
Preparing for AWS exams?
Read this thread:
The user can configure SQS, which will decouple the call between the EC2 application and S3. Thus, the application does not keep waiting for S3 to provide the data.
1/n
Auto Scaling enables you to follow the demand curve for your applications closely, reducing the need to manually provision Amazon EC2 capacity in advance.
2/n
Read 554 tweets

Trending hashtags

#DataScience #digging #QAnons #PatriotsUnited #akiva #someone #themoreyourknow #RedPilling #edge #Redshift #PatriotsAwakened #Patriots #evolution #weeklytwitterstandup #camera #educateyourself #AWS #identity #FullArmorPatriots #Thiruvananthpuram #Soldiers #multiple #LokSabhaElections2019 #GoogleSheets #EC2
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!