AWS Gov Cloud 应用程序负载均衡器使用 Cognito 验证规则
AWS Gov Cloud application load balancer authenticate rule with Cognito
在 AWS 的商业云 (us-west-2) 中,我可以在我的 HTTPS (443) 侦听器上创建一个 ALB 侦听器规则,以首先向 Cognito 用户池(使用 OIDC 集成 Azure AD)进行身份验证,然后转发身份验证成功后到 Ec2 实例。
我在 gov cloud (gov-west-1) 中尝试了相同的操作,但没有选项可以在使用 Cognito 的负载平衡侦听器规则中进行身份验证,只有纯 OIDC 身份验证。
政府云中是否存在此功能?
我专门讨论图中显示的附加“插入规则”UI。在我的政府云帐户 (gov-west-2) 中,“Amazon Cognito”不是“1.Authentucate”下拉列表中的选项。唯一存在的选项是“OIDC”
遗憾的是,此功能在 GovCloud 中尚不可用(请参阅 this doc on govcloud-differences),但您可以通过设置指向您的 Cognito 用户池(能够充当标准 OIDC 提供商)。
此身份验证操作要求您提供 OIDC 端点,这些端点在以下文档页面中针对 AWS Cognito 进行了描述:https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html
这确实需要您设置一个用户池应用程序客户端,配置一个客户端密码,以及一个用户池域。
最后,确保为 Cognito 客户端配置 CallbackURL,以允许重定向回负载均衡器上的 /oauth2/idpresponse 端点;例如对于位于 <DNS> 的负载均衡器,使用 CallbackURL:https://DNS/oauth2/idpresponse.
配置身份验证操作时,您需要提供以下详细信息:
- 验证:
OIDC
- 发行人:
https://cognito-idp.us-gov-west-1.amazonaws.com/us-gov-west-1_abc123
- 授权端点:
https://my-cognito-domain.auth-fips.us-gov-west-1.amazoncognito.com/oauth2/authorize
- 令牌端点:
https://my-cognito-domain.auth-fips.us-gov-west-1.amazoncognito.com/oauth2/token
- 用户信息端点:
https://my-cognito-domain.auth-fips.us-gov-west-1.amazoncognito.com/oauth2/userInfo
- 客户端 ID:
abcdef123456
- 客户端密码:
hunter7
示例 CloudFormation 片段如下:
Parameters:
SessionTimeout:
Description: The maximum duration of the authentication session, in seconds.
Type: Number
Default: 604800 # One day
MinValue: 60
MaxValue: 604800
CognitoClientID:
Description: Client ID from pre-configured cognito environment
Type: String
NoEcho: true
CognitoClientSecret:
Description: Client Secret from pre-configured cognito environment
Type: String
NoEcho: true
CognitoProviderUrl:
Description: Provider URL from pre-configured cognito environment
Type: String
CognitoDomainName:
Description: Domain Name from pre-configured cognito environment
Type: String
TargetGroupArn:
Description: ARN of the Target Group for forwarding traffic
Type: String
Conditions:
IsGovCloud: !Not [!Equals ['aws', !Ref AWS::Partition]]
Resources:
AuthenticatedListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- Type: authenticate-oidc
Order: 1
AuthenticateOidcConfig:
ClientId: !Ref CognitoClientID
ClientSecret: !Ref CognitoClientSecret
Issuer: !Ref CognitoProviderUrl
UserInfoEndpoint:
Fn::Sub:
- https://${CognitoDomainName}.${AuthSuffix}.${AWS::Region}.amazoncognito.com/oauth2/userInfo
- AuthSuffix: !If [IsGovCloud, "auth-fips", "auth"]
AuthorizationEndpoint:
Fn::Sub:
- https://${CognitoDomainName}.${AuthSuffix}.${AWS::Region}.amazoncognito.com/oauth2/authorize
- AuthSuffix: !If [IsGovCloud, "auth-fips", "auth"]
TokenEndpoint:
Fn::Sub:
- https://${CognitoDomainName}.${AuthSuffix}.${AWS::Region}.amazoncognito.com/oauth2/token
- AuthSuffix: !If [IsGovCloud, "auth-fips", "auth"]
OnUnauthenticatedRequest: authenticate
Scope: openid
SessionTimeout: !Ref SessionTimeout
- Type: forward
Order: 2
TargetGroupArn:
Ref: TargetGroup
祝你好运,希望 GovCloud 功能尽快得到扩展
在 AWS 的商业云 (us-west-2) 中,我可以在我的 HTTPS (443) 侦听器上创建一个 ALB 侦听器规则,以首先向 Cognito 用户池(使用 OIDC 集成 Azure AD)进行身份验证,然后转发身份验证成功后到 Ec2 实例。
我在 gov cloud (gov-west-1) 中尝试了相同的操作,但没有选项可以在使用 Cognito 的负载平衡侦听器规则中进行身份验证,只有纯 OIDC 身份验证。
政府云中是否存在此功能?
我专门讨论图中显示的附加“插入规则”UI。在我的政府云帐户 (gov-west-2) 中,“Amazon Cognito”不是“1.Authentucate”下拉列表中的选项。唯一存在的选项是“OIDC”
遗憾的是,此功能在 GovCloud 中尚不可用(请参阅 this doc on govcloud-differences),但您可以通过设置指向您的 Cognito 用户池(能够充当标准 OIDC 提供商)。
此身份验证操作要求您提供 OIDC 端点,这些端点在以下文档页面中针对 AWS Cognito 进行了描述:https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html
这确实需要您设置一个用户池应用程序客户端,配置一个客户端密码,以及一个用户池域。
最后,确保为 Cognito 客户端配置 CallbackURL,以允许重定向回负载均衡器上的 /oauth2/idpresponse 端点;例如对于位于 <DNS> 的负载均衡器,使用 CallbackURL:https://DNS/oauth2/idpresponse.
配置身份验证操作时,您需要提供以下详细信息:
- 验证:
OIDC - 发行人:
https://cognito-idp.us-gov-west-1.amazonaws.com/us-gov-west-1_abc123 - 授权端点:
https://my-cognito-domain.auth-fips.us-gov-west-1.amazoncognito.com/oauth2/authorize - 令牌端点:
https://my-cognito-domain.auth-fips.us-gov-west-1.amazoncognito.com/oauth2/token - 用户信息端点:
https://my-cognito-domain.auth-fips.us-gov-west-1.amazoncognito.com/oauth2/userInfo - 客户端 ID:
abcdef123456 - 客户端密码:
hunter7
示例 CloudFormation 片段如下:
Parameters:
SessionTimeout:
Description: The maximum duration of the authentication session, in seconds.
Type: Number
Default: 604800 # One day
MinValue: 60
MaxValue: 604800
CognitoClientID:
Description: Client ID from pre-configured cognito environment
Type: String
NoEcho: true
CognitoClientSecret:
Description: Client Secret from pre-configured cognito environment
Type: String
NoEcho: true
CognitoProviderUrl:
Description: Provider URL from pre-configured cognito environment
Type: String
CognitoDomainName:
Description: Domain Name from pre-configured cognito environment
Type: String
TargetGroupArn:
Description: ARN of the Target Group for forwarding traffic
Type: String
Conditions:
IsGovCloud: !Not [!Equals ['aws', !Ref AWS::Partition]]
Resources:
AuthenticatedListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- Type: authenticate-oidc
Order: 1
AuthenticateOidcConfig:
ClientId: !Ref CognitoClientID
ClientSecret: !Ref CognitoClientSecret
Issuer: !Ref CognitoProviderUrl
UserInfoEndpoint:
Fn::Sub:
- https://${CognitoDomainName}.${AuthSuffix}.${AWS::Region}.amazoncognito.com/oauth2/userInfo
- AuthSuffix: !If [IsGovCloud, "auth-fips", "auth"]
AuthorizationEndpoint:
Fn::Sub:
- https://${CognitoDomainName}.${AuthSuffix}.${AWS::Region}.amazoncognito.com/oauth2/authorize
- AuthSuffix: !If [IsGovCloud, "auth-fips", "auth"]
TokenEndpoint:
Fn::Sub:
- https://${CognitoDomainName}.${AuthSuffix}.${AWS::Region}.amazoncognito.com/oauth2/token
- AuthSuffix: !If [IsGovCloud, "auth-fips", "auth"]
OnUnauthenticatedRequest: authenticate
Scope: openid
SessionTimeout: !Ref SessionTimeout
- Type: forward
Order: 2
TargetGroupArn:
Ref: TargetGroup
祝你好运,希望 GovCloud 功能尽快得到扩展