Moped Documentation
  • Welcome 👋
  • User Guides
    • Getting started
    • Map a project
  • Product Management
    • User communication
    • User management
    • User analytics
    • Local testing
    • Release process
    • Patch release process
    • MUI X Pro License
    • Integrations
      • Dataset documentation
      • ArcGIS Online
      • eCapris
      • Power BI
    • Features
  • Dev Guides
    • DB Docs & Data dictionary
    • Database backup policy
    • Moped Read Replica
    • How-to's
      • How do I start the Hasura cluster locally?
      • How do I launch the Hasura Console?
      • How do I get a JWT token?
      • How to ping the GraphQL API
      • How to ping the REST API
      • How do I connect a database with Postgres GUIs?
      • How do I connect to the RDS instance?
      • How to load production data into a local instance
      • How do I update seed data?
    • Hasura
      • Hasura Roles
      • Hasura Migrations
        • Getting Started
        • Installing the Hasura CLI
        • Configuration Files
        • Hasura Migration Principles
        • The Migration file format
        • Development
        • Hasura Seed Data
        • Running the Hasura Cluster Locally (video)
        • Create a migration: Exercise 1 (video)
        • Create a migration: Exercise 2 (video)
        • Latest hasura-cluster features
    • User Management
    • Authentication
      • Authentication Architecture
      • DynamoDB & Cognito
      • Secrets Manager & Cognito
      • Hasura & Cognito
      • React & Cognito
      • Flask API & Cognito
      • Single Sign-On with CTM
    • Code organization
    • API
      • Configuration Files
      • Testing
      • User Management API
    • Maps and geospatial data
      • Access tokens and API keys
      • Map libraries
      • Map data
      • Map styles
      • Map layers and basemaps
      • React patterns
      • V1 Archive
        • Map libraries
        • Map data
        • Map custom hooks
        • Map styles
        • Map layers and basemaps
    • UI access control
    • Design system
      • Branding
      • Component styles
      • Text content
    • Activity Log
      • Architecture
      • GitHub Actions and Deployment of Updates
      • Hasura Event Logs and Truncate Cron Job
      • Authentication
  • See also
  • Get Moped support, report a bug, or request an enhancement
  • Data & Technology Services
  • Github repository
Powered by GitBook
On this page
  • Goals
  • Architecture
  • Architecture flow
  • Deployment strategy
  • References and documentation

Was this helpful?

  1. Dev Guides
  2. Authentication

Secrets Manager & Cognito

PreviousDynamoDB & CognitoNextHasura & Cognito

Last updated 4 years ago

Was this helpful?

The AWS Secrets Manager is a key-value service that allows the safe storage of secrets, which can be a plain-text value or a JSON document. A secret has a name, and that name becomes its key. A successful strategy involving its use relies on a proper granular IAM permissions scheme for any resource that uses a specific secret.

You can find the Secrets Manager in this link:

Diagram owner

Team

  • @ Team member

Informed

  • @ Stakeholder

  • @ Stakeholder

Status

/ / /

Last date updated

e.g.,24 Sep 2020

On this page

Name

Description

Operational Excellence

The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.

Security

The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

Reliability

The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.

Performance Efficiency

The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve

Cost Optimization

The ability to run systems to deliver business value at the lowest price point.

note

Goals

  • Keep the encryption secrets safely stored

  • Keep the secrets centralized

  • Keep the encryption secrets safely stored

  • Keep the secrets centralized

Architecture

There is no grand architecture for this service, python code using the Boto3 library should have access by just initializing a session and providing the service it wants to access. The boto library will run its magic and search for the name of the secret and provide it’s value.

Whatever process is running the python code (likely a Lambda function), it requires granular permissions to access the resource.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:295525487728:secret:ATD_MOPED_USERS_COGNITO_DYNAMODB-txVJVP",
                "arn:aws:secretsmanager:us-east-1:295525487728:secret:ATD_MOPED_USERS_COGNITO_DYNAMODB_STAGING-NcR6wu"
            ]
        }
    ]
}

There are 4 variables needed to facilitate the authentication process:

Secret Name

Description

Date Created

This is the fernet key used in python to decrypt strings in DynamoDB production table.

9/24/2020

This secret is used in GitHub actions to deploy the cognito lambda functions. It contains important environment variables for the staging environment.

9/23/2020

This secret is used in GitHub actions to deploy the cognito lambda functions. It contains important environment variables for the production environment.

9/23/2020

This is is the fernet key used in python to decrypt strings in DynamoDB staging table.

9/23/2020

Architecture flow

This process assumes the lambda trigger running the python code has the IAM permissions to execute and access the specific secrets.

  1. The lambda executes the pre-token trigger, and runs the python code.

  2. The python code attempts to fetch the encryption secret.

  3. The encryption secret has the key to decrypt the claims stored in DynamoDB

  4. The python code returns the decrypted claims in DynamoDB

Other notes:

It’s worth mentioning that each secret is considered a different resource in AWS, and has its own ARN identifier.

Deployment strategy

The secrets are created and deployed manually.

References and documentation

()

Here is the current policy , under the role

Product page:

Python documentation:

atd-moped-users-cognito-hook-secrets-access
atd-moped-cognito-hook
https://aws.amazon.com/secrets-manager/
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html
Data & Technology Services
Sergio Garcia
Sergio Garcia
ATD_MOPED_USERS_COGNITO_DYNAMODB
ATD_MOPED_COGNITO_HOOK_ENV_STAGING
ATD_MOPED_COGNITO_HOOK_ENV_PRODUCTION
ATD_MOPED_USERS_COGNITO_DYNAMODB_STAGING
https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#
AWS Well Architected Framework PDF