Skip to main content

2. Demos

This may be deleted as the same section is in the 1. Notes page

Implement AWS SSO

  1. Navigate to the SSO console in the Management account.
  2. Click enable SSO a. I got a rate exceeded so I refreshed and tried again.
    image.png
  3. You can change the portal URL to something more useful.
  4. Under the AWS SSO page, click permission sets.
  5. Click Create permission set, then select administrator access and then select next, add some tags, and then click create permission set. Repeat until you have the 4 permission sets below:
    image.png

You can also pick the signed in duration time - I chose 12 hours.

Create a User

  1. Click on Users on the left and then click New User
  2. Enter in the information here and then click next.
  3. We don't have any groups, so click New Group.
    image.png
  4. Once the user is created, they will get sent the following email:
    image.png

Assigning Permissions

  1. Click on AWS Accounts and then Select all of the accounts that you want this user to have access to
  2. Click Assign Users
  3. Click on the groups tab and then select the appropriate group
  4. Click next and then select the permission set for that group.

Testing Access

  1. Click on the SSO Url and then log in as the user.
  2. You should see that user having access to the accounts in your AWS Organization.
    image.png

Set Up MFA

  1. Click MFA Devices at the top
  2. Click the type of registration
  3. Scan the QR code
  4. Finish setting up MFA.
  5. Sign out and sign back in to test.
    image.png

Congrats, you've built this:

image.png

Using Web Identity Federation

  1. Log into the Development account

  2. Create a CloudFormation Stack from this link: https://learn-cantrill-labs.s3.amazonaws.com/aws-cognito-web-identity-federation/WEBIDF.yaml

  3. Navigate to the S3 bucket called appbucket

  4. Copy the bucket website endpoint from the bucket.

  5. If you paste that in your browser, you should get a Google Sign in link, but you haven't actually implemented anything so this won't work.

  6. At this point, you should have your html and your javascript loaded into the browser. That's it.

Setup Google Project

  1. Navigate to this link: https://console.developers.google.com/apis/credentials
  2. Click Create Project.
  3. I named mine solosidf but you can name it whatever you'd like.
  4. Click on Configure Consent Screen
  5. Choose whether this is an internal app or an external app. Ours is external for now, so check the external box and click Create.
  6. Enter your name of the project and email and hit Save and Continue.
  7. On the scopes screen, click Save and Continue
  8. On the Test Users screen, click Save and continue and then on the summary screen, click Back to Dashboard.

Google Credentials

  1. Click Credentials on the left
  2. Click Create Credentials and select OAuth Client ID.
  3. Select Web Application and rename the app.
  4. Navigate back to the S3 Bucket and copy that Bucket Website Endpoint
  5. Paste it into the URL here
  6. Click Create
  7. Copy the Client ID and Secret somewhere safe

Configure AWS Cognito

  1. Navigate to the Cognito Console in AWS image.png
  2. Click Manage Identity Pools
  3. Click New Pool
  4. Name this pool
  5. Scroll to the bottom and paste in your Google Client ID that you saved earlier.
  6. Click Create
  7. Note the fields here, we are going to create a new role and call it whatever it autopopulated
    image.png
  8. Click Allow
  9. Copy the AWS credentials that are highlighted in red on the next screen.
  10. Click Go To Dashboard

Configure IAM Role

  1. Navigate back to the IAM console and go to Roles.
  2. You should have two new roles:
    image.png
  3. Click on the Auth_Role
  4. Click on the Trust Relationships tab
    image.png
  5. What you see here is that the role is trusted by Cognito AND the string must match the value that we were given earlier. Remember what we copied in red?
  6. On the Permissions tab, notice you have a default policy attached.
  7. Attach the private permissions policy created by the stack.

Update the HTML and JavaScript

  1. Navigate to the appbucket s3 bucket
  2. Download the two files and open them in your text editor of choice
  3. Replace the 3 lines in those files and then save them and reupload them to the S3 bucket.
  4. Grab the bucket website endpoint from the static website hosting section.

Test this thing out

  1. Paste the URL into an incognito browser session
  2. Click Sign in
  3. Enter your credentials for your google account
  4. Click sign in
  5. You should be taken to a page that shows you are signed in and should show the images from the private S3 bucket.

Clean Up

  1. Go to google and delete the project
  2. Navigate back to Cognito and delete the identity pool
  3. Navigate to IAM and delete the two roles that were created
  4. Delete the stack.

AWS Workspaces with a Directory Service

Setup and Directory Creation

  1. In your development account, create a new stack from the yaml located here: 04-AdvancedIdentitiesAndFederation\03_Workspaces_with_DirectoryServices\DEMOSETUP
  2. Once that is completed, go to the Workspaces service console
  3. Click Get Started and then click Launch next to advanced setup.
  4. Click Simple AD as we don't want to spin up an entire AD service for this demo.
  5. Click Small as we'll only set up a couple users
    image.png
  6. Enter the name and the Admin password for this directory. Click Next
  7. Select the appA and AppB subnets and then click next to review and then Create. image.png

Create Workspaces

  1. Once this is in an Active state, click on workspaces on the left.
  2. Select the VPC and two of the App subnets
  3. Toggle Workdocs and self service permissions to off and click next step.
  4. Create your username using a personal email address. You'll get emailed some setup steps.
  5. Click next and select your OS and VDI size
  6. At the bottom, you can select specific sizes of your volumes.
  7. Select AutoStop and leave it at One Hour.
  8. You can select encryption using KMS here if needed, but to keep it simple, scroll down and select Next Step and Launch Workspaces.
    image.png

Access Workspace

  1. You'll get an email such as the one below when this has been provisioned. image.png
  2. Set your password up for the user (different from the Administrator)
  3. Download the access client and install.
    image.png
  4. Open Amazon Workspaces on your machine.
  5. Enter in the registration code from your email. You'll be taken to this screen to log in:
    image.png
  6. Once you're logged in, you'll see your newly provisioned WorkSpace, hopefully not as small as mine.
    image.png

Clean Up

Remove workspaces Remove directory by deregistering and deleting. Delete stack.