serverless-app-client-credentials-to-ssm

A Serverless plugin to export Cognito app client credentials to SSM Parameter store for µservice

Background

Amazon Cognito is a powerful service for application authentication, authorization, and user management. When working with µservice applications, we can use AWS Cognito user pool authentication to implement a fine-grained service-to-service access control where each service has a dedicated resource server with pre-defined scopes for its resources(API Gateway, Lambda etc), and a dedicated app client with limited scopes it needs to access external resources.

This service-to-service interaction normally starts with a user pool sign-in with the app client credentials where a JWT token will be returned from Cognito to the initiator for external resource access. We used to copy the app client credentials from AWS console and put to the configuration for each µservice manually. With the increasing number of µservices, we need a tool to do this securely and automatically for us.

How it works

A Serverless "hook" will be triggered after the deployment to pull the app client credentials includes url, clientId, and clientSecret which will be merged as part of the application configuration(auth.cognito) stored in the configured SSM parameter.

Note:

  • Only when there are changes for any of these three fields will this plugin update the SSM parameter.
  • For security reason, SecurityString parameter with the default AWS account key is used here.

Installation

npm install serverless-app-client-credentials-to-ssm --save-dev

Configuration

plugin registration

Inside your project's serverless.yml file add following entry to the plugins section:

plugins:
- serverless-app-client-credentials-to-ssm

plugin configuration

Then you need to add the plugin configuration to the custom section:

custom:
serverless-app-client-credentials-to-ssm:
userPoolId: ${ssm:/layered-apis/userPoolId}
appClientName: ${self:custom.appClientName}
parameterName: /config/${self:service}-${self:provider.stage}

Sample parameter

{
"auth": {
"cognito": {
"url": "https://asdfafdsa-systems-idp-nonprod.auth.ap-southeast-2.amazoncognito.com/oauth2/token",
"clientId": "h3p4a1sr9pu",
"clientSecret": "s1oglveco0hsfraoag90ebr107rmvo9g7u36h"
}
},
"database": {
...
}
}

License

MIT

Contribute

Yes, highly appreciate for any PRs. Thank you!