Federated customers of Amazon OpenSearch Service usually want entry to OpenSearch Dashboards with roles based mostly on their person profiles. OpenSearch Service fine-grained entry management maps authenticated customers to OpenSearch Search roles after which evaluates permissions to find out how you can deal with the person’s actions. Nonetheless, when an enterprise-wide id supplier (IdP) manages the customers, the mapping of customers to OpenSearch Service roles usually must occur dynamically based mostly on IdP person attributes. One choice to map customers is to make use of OpenSearch Service SAML integration and move person group info to OpenSearch Service. Another choice is Amazon Cognito role-based entry management, which helps rule-based or token-based mappings. However neither strategy helps arbitrary position mapping logic. For instance, when it’s worthwhile to interpret multivalued person attributes to establish a goal position.
This submit reveals how one can implement customized position mappings with an Amazon Cognito pre-token technology AWS Lambda set off. For our instance, we use a multivalued attribute offered over OpenID Join (OIDC) to Amazon Cognito. We present how you might be in full management of the mapping logic and means of such a multivalued attribute for AWS Id and Entry Administration (IAM) position lookups. Our strategy is generic for OIDC-compatible IdPs. To make this submit self-contained, we use the Okta IdP for instance to stroll by the setup.
Overview of answer
The offered answer intercepts the OICD-based login course of to OpenSearch Dashboards with a pre-token technology Lambda operate. The login to OpenSearch Dashboards with a third-party IdP and Amazon Cognito as an middleman consists of a number of steps:
- First, the preliminary person request to OpenSearch Dashboard is redirected to Amazon Cognito.
- Amazon Cognito redirects the request to the IdP for authentication.
- After the person authenticates, the IdP sends the id token (ID token) again to Amazon Cognito.
- Amazon Cognito invokes a Lambda operate that modifies the obtained token. We use an Amazon DynamoDB desk to carry out position mapping lookups. The modified token now incorporates the IAM position mapping info.
- Amazon Cognito makes use of this position mapping info to map the person to the desired IAM position and offers the position credentials.
- OpenSearch Service maps the IAM position credentials to OpenSearch roles and applies fine-grained permission checks.
The next structure outlines the login movement from a person’s perspective.
On the backend, OpenSearch Dashboards integrates with an Amazon Cognito person pool and an Amazon Cognito id pool in the course of the authentication movement. The steps are as follows:
- Authenticate and get tokens.
- Search for the token attribute and IAM position mapping and overwrite the Amazon Cognito attribute.
- Alternate tokens for AWS credentials utilized by OpenSearch dashboards.
The next structure reveals this backend perspective to the authentication course of.
Within the the rest of this submit, we stroll by the configurations essential for an authentication movement through which a Lambda operate implements customized position mapping logic. We offer pattern Lambda code for the mapping of multivalued OIDC attributes to IAM roles based mostly on a DynamoDB lookup desk with the next construction.
| OIDC Attribute Worth | IAM Function |
("attribute_a","attribute_b") |
arn:aws:iam::<aws-account-id>:position/<role-name-01> |
("attribute_a","attribute_x") |
arn:aws:iam::<aws-account-id>:position/<role-name-02> |
The high-level steps of the answer offered on this submit are as follows:
- Configure Amazon Cognito authentication for OpenSearch Dashboards.
- Add IAM roles for mappings to OpenSearch Service roles.
- Configure the Okta IdP.
- Add a third-party OIDC IdP to the Amazon Cognito person pool.
- Map IAM roles to OpenSearch Service roles.
- Create the DynamoDB attribute-role mapping desk.
- Deploy and configure the pre-token technology Lambda operate.
- Configure the pre-token technology Lambda set off.
- Take a look at the login to OpenSearch Dashboards.
Conditions
For this walkthrough, you must have the next stipulations:
- An AWS account with an OpenSearch Service area.
- A 3rd-party IdP that helps OpenID Join and provides a multivalued attribute within the authorization token. For this submit, we use
attributes_arrayas this attribute’s title and Okta as an IdP supplier. You’ll be able to create an Okta Developer Version free account to check the setup.
Configure Amazon Cognito authentication for OpenSearch Dashboards
The modification of authentication tokens requires you to configure the OpenSearch Service area to make use of Amazon Cognito for authentication. For directions, consult with Configuring Amazon Cognito authentication for OpenSearch Dashboards.
The Lambda operate implements customized position mappings by setting the cognito:preferred_role declare (for extra info, consult with Function-based entry management). For the right interpretation of this declare, set the Amazon Cognito id pool to Select position from token. The Amazon Cognito id pool then makes use of the worth of the cognito:preferred_role declare to pick the right IAM position. The next screenshot reveals the required settings within the Amazon Cognito id pool that’s created in the course of the configuration of Amazon Cognito authentication for OpenSearch Service.
Add IAM roles for mappings to OpenSearch roles
IAM roles used for mappings to OpenSearch roles require a belief coverage in order that authenticated customers can assume them. The belief coverage must reference the Amazon Cognito id pool created in the course of the configuration of Amazon Cognito authentication for OpenSearch Service. Create at the very least one IAM position with a customized belief coverage. For directions, consult with Creating a task utilizing customized belief insurance policies. The IAM position doesn’t require the attachment of a permission coverage. For a pattern belief coverage, consult with Function-based entry management.
Configure the Okta IdP
On this part, we describe the configuration steps to incorporate a multivalued attribute_array attribute within the token offered by Okta. For extra info, consult with Customise tokens returned from Okta with customized claims. We use the Okta UI to carry out the configurations. Okta additionally offers an API that you should utilize to script and automate the setup.
Step one is including the attributes_array attribute to the Okta person profile.
- Use Okta’s Profile Editor underneath Listing, Profile Editor.
- Choose Person (default) after which select Add Attribute.
- Add an attribute with a show title and variable title
attributes_arrayof kind string array.
The next screenshot reveals the Okta default person profile after the customized attribute has been added.
- Subsequent, add
attributes_arrayattribute values to customers utilizing Okta’s person administration interface underneath Listing, Individuals. - Choose a person and select Profile.
- Select Edit and enter attribute values.
The next screenshot reveals an instance of attributes_array attribute values inside a person profile.
The following step is including the attributes_array attribute to the ID token that’s generated in the course of the authentication course of.
- On the Okta console, select Safety, API and choose the
defaultauthorization server. - Select Claims and select Add Declare so as to add the
attributes_arrayattribute as a part of the ID token. - Because the scope, enter
openidand because the attribute worth, enterperson.attributes_array.
This references the beforehand created attribute in a person’s profile.
- Subsequent, create an utility for the federation with Amazon Cognito. For directions, consult with How do I arrange Okta as an OpenID Join id supplier in an Amazon Cognito person pool.
The final step assigns the Okta utility to Okta customers.
- Navigate to Listing, Individuals, choose a person, and select Assign Functions.
- Choose the applying you created within the earlier step.
Add a third-party OIDC IdP to the Amazon Cognito person pool
We’re implementing the position mapping based mostly on the data offered in a multivalued OIDC attribute. The authentication token wants to incorporate this attribute. In the event you adopted the beforehand described Okta configuration, the attribute is routinely added to the ID token of a person. In the event you used one other IdP, you may need to request the attribute explicitly. For this, add the attribute title to the Approved scopes record of the IdP in Amazon Cognito.
For directions on how you can arrange the federation between a third-party IdP and an Amazon Cognito person pool and how you can request extra attributes, consult with Including OIDC id suppliers to a person pool. For an in depth walkthrough for Okta, consult with How do I arrange Okta as an OpenID Join id supplier in an Amazon Cognito person pool.
After requesting the token through OIDC, it’s worthwhile to map the attribute to an Amazon Cognito person pool attribute. For directions, consult with Specifying id supplier attribute mappings on your person pool. The next screenshot reveals the ensuing configuration on the Amazon Cognito console.
Map IAM roles to OpenSearch Service roles
Upon login, OpenSearch Service maps customers to an OpenSearch Service position based mostly on the IAM position ARN set within the cognito:preferred_role declare by the pre-token technology Lambda set off. This requires a task mapping in OpenSearch Service. So as to add such position mappings to IAM backend roles, consult with Mapping roles to customers. The next screenshot reveals a task mapping on the OpenSearch Dashboards console.
Create the attribute-role mapping desk
For this answer, we use DynamoDB to retailer mappings of customers to IAM roles. For directions, consult with Create a desk and outline a partition key named Key of kind String. You want the desk title within the subsequent step to configure the Lambda operate.
The following step is writing the mapping info into the desk. A mapping entry consists of the next attributes:
- Key – A string that incorporates attribute values in comma-separated alphabetical order
- RoleArn – A string with the IAM position ARN to which the attribute worth mixture ought to be mapped
For particulars on how you can add knowledge to a DynamoDB desk, consult with Write knowledge to a desk utilizing the console or AWS CLI.
For instance, if the beforehand configured OIDC attribute attributes_array incorporates three values, attribute_a, attribute_b, and attribute_c, the entry within the mapping desk seems to be like desk line 1 within the following screenshot.
Deploy and configure the pre-token technology Lambda operate
A Lambda operate implements the customized position mapping logic. The Lambda operate receives an Amazon Cognito occasion as enter and extracts attribute info out of it. It makes use of the attribute info for a lookup in a DynamoDB desk and retrieves the worth for cognito:preferred_role. Observe the steps in Getting began with Lambda to create a Node.js Lambda operate and insert the next supply code:
The Lambda operate expects three setting variables. Seek advice from Utilizing AWS Lambda setting variables for directions so as to add the next entries:
- TABLE_NAME – The title of the beforehand created DynamoDB desk. This desk is used for the lookups.
- UNAUTHORIZED_ROLE – The ARN of the IAM position that’s used when no mapping is discovered within the lookup desk.
- USER_POOL_ATTRIBUTE – The Amazon Cognito person pool attribute used for the IAM position lookup. In our instance, this attribute is called
customized:attributes_array.
The next screenshot reveals the ultimate configuration.
The Lambda operate wants permissions to entry the DynamoDB lookup desk. Set permissions as follows: connect the next coverage to the Lambda execution position (for directions, consult with Lambda execution position) and supply the Area, AWS account quantity, and DynamoDB desk title:
The configuration of the Lambda operate is now full.
Configure the pre-token technology Lambda set off
As remaining step, add a pre-token technology set off to the Amazon Cognito person pool and reference the newly created Lambda operate. For particulars, consult with Customizing person pool workflows with Lambda triggers. The next screenshot reveals the configuration.
This step completes the setup; Amazon Cognito now maps customers to OpenSearch Service roles based mostly on the values offered in an OIDC attribute.
Take a look at the login to OpenSearch Dashboards
The next diagram reveals an exemplary login movement and the corresponding screenshots for an Okta person user1 with a person profile attribute attribute_array and worth: ("attribute_a", "attribute_b", "attribute_c").
Clear up
To keep away from incurring future expenses, delete the OpenSearch Service area, Amazon Cognito person pool and id pool, Lambda operate, and DynamoDB desk created as a part of this submit.
Conclusion
On this submit, we demonstrated how you can arrange a customized mapping to OpenSearch Service roles utilizing values offered through an OIDC attribute. We dynamically set the cognito:preferred_role declare utilizing an Amazon Cognito pre-token technology Lambda set off and a DynamoDB desk for lookup. The answer is able to dealing with dynamic multivalued person attributes, however you possibly can lengthen it with additional utility logic that goes past a easy lookup. The steps on this submit are a proof of idea. In the event you plan to develop this right into a productive answer, we advocate implementing Okta and AWS safety greatest practices.
The submit highlights only one use case of how you should utilize Amazon Cognito help for Lambda triggers to implement customized authentication wants. In the event you’re enthusiastic about additional particulars, consult with How you can Use Cognito Pre-Token Era set off to Customise Claims In ID Tokens.
In regards to the Authors
Stefan Appel is a Senior Options Architect at AWS. For 10+ years, he helps enterprise clients undertake cloud applied sciences. Earlier than becoming a member of AWS, Stefan held positions in software program structure, product administration, and IT operations departments. He started his profession in analysis on event-based programs. In his spare time, he enjoys mountain climbing and has walked the size of New Zealand following Te Araroa.
Modood Alvi is Senior Options Architect at Amazon Net Companies (AWS). Modood is obsessed with digital transformation and is dedicated serving to giant enterprise clients throughout the globe speed up their adoption of and migration to the cloud. Modood brings greater than a decade of expertise in software program growth, having held numerous technical roles inside firms like SAP and Porsche Digital. Modood earned his Diploma in Pc Science from the College of Stuttgart.
