https://serverless-stack.com/ logo
#sst
Title
# sst
f

Frank

02/18/2021, 9:45 PM
Just jumped on a quick zoom call with @Julien Goux to answer some questions about SST. And I want to share what we talked about here in case others find it helpful. • For Auth, you can choose Cognito User Pool + Cognito Identity Pool, or Auth0 + Cognito Identity Pool. Whichever authentication provider you choose, you have to use Cognito Identity Pool to grant temporary IAM credentials for the authenticated users. Take a look at the sst.Auth construct. It supports Cognito User Pool + Cognito Identity Pool setup right now. But if anyone needs Auth0 + Cognito Identity Pool setup, msg me. I will add it in. • For S3 upload, you should directly upload from your React frontend. Cognito Identity Pool will issue IAM credentials to logged in users. You can setup IAM permissions such that each logged in user have their own “folder” in the S3 bucket. Example here. • For VPC, yes your Lambdas need to be deployed to VPC to talk to RDS. If you place the RDS in private subnet (which is recommened from the security perspective), for your local function (ie. run
sst start
) to access RDS, you’d need to setup VPN. The easier approach is placing RDS in public subnet and publically expose the port. The latter is easier and cheaper to setup. And the security takeoff I think is fine if you are developing in a separate AWS account. • Yes, you can use ALL CDK constructs in SST. • Yes, SST deploys directly to your AWS account. No 3rd party services in between. The added cost for SST is the communication between your local function and your Lambda function through a websocket API, which is neglegible and covered in the free tier. FYI, The pricing for AWS websocket API is $1 per 1M requests beyond free tier.
k

Karo

02/23/2021, 6:05 PM
hi @Frank, we'll be using Auth0 and could benefit from having support for it? it this something you guys could add quickly or do you recommend using a workaround for now?
Also, i'm assuming we would have to go through this setup https://auth0.com/docs/integrations/amazon-cognito, right?
f

Frank

02/23/2021, 7:36 PM
I can add support for it today or tmr. Would that work for you?
k

Karo

02/23/2021, 8:00 PM
that would be great! thank you. We are not super familiar with Cognito, what would you say would be the main benefit from using the identity pool vs not using it? more robust and flexible? in the past we used something similar to this https://github.com/auth0-samples/jwt-rsa-aws-custom-authorizer/blob/master/lib.js#L60 basically assigned a specific policy
f

Frank

02/23/2021, 8:04 PM
From what I understand, when using Auth0 as an authorizer, it only protects the API. And the line of code you highlighted is responsible for granting what IAM permissions for the API.
But often you might want users have access to other AWS resources apart from the API. A common use case is allowing frontend to directly upload files to S3 bucket.
What Cognito Identity Pool does is it is able to grant IAM permissions to users in your frontend.
k

Karo

02/23/2021, 8:07 PM
yeah that's what i was thinking, seems more flexible vs assigning only a specific permission
f

Frank

02/23/2021, 8:08 PM
yeah.. also easier if you want to switch auth provider at some point
k

Karo

02/23/2021, 8:09 PM
yeah that's a good point
what about the question about any necessary setup for auth0? i'm unclear if these steps are for authentication only https://auth0.com/docs/integrations/amazon-cognito
if SST had the Auth0 auth integration, would we have to follow those? or what do you have in mind?
f

Frank

02/23/2021, 8:15 PM
You just need to provide the
Provider URL
and
Audience
to
sst.Auth
, and SST will do step 1 to 6 for you.
You just need to set Algorithm to
RS256
on the Auth0 side according to this doc
k

Karo

02/23/2021, 8:16 PM
that would be great 🙌
I'll be working on something else while I wait for this then, please let me know if something comes up and we have to change plans, thanks @Frank