search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.38k stars 3.78k forks source link

@aws-cdk/aws-elasticsearch: Allow retrieve the generated app client id when creating an ElasticSearch service #20683

Open zordark opened 2 years ago

zordark commented 2 years ago

Describe the feature

I need to retrieve the ES generated app client id, to be able to add role mapping

Use Case

When I configure an ES domain to use Amazon Cognito authentication for Kibana, ES adds an app client to the user pool. I need to retrieve the app client id, to be able to add role mapping. More specifically, I need to change the authenticated role selection to type token instead of the default option. In CDK, I can do that like this:

new CfnIdentityPoolRoleAttachment(this, 'RoleAttachment', {

        ...

        roleMappings: {

            'app client id here': {
                type: 'Token',
                ambiguousRoleResolution: 'AuthenticatedRole'
            }
        },
        ...
    });

I saw some recommendations in these 2 articles: https://github.com/aws/aws-cdk/issues/7119 aws-samples

unfortunately, I can't use them, because we creating a few clusters in CDK and we have some other app clients, and probably I can't rely on the app client index in the user pool 

    const userPoolClients = new AwsCustomResource(this, 'clientIdResource', {
      policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: [userPool.attrArn] }),
      onCreate: {
        service: 'CognitoIdentityServiceProvider',
        action: 'listUserPoolClients',
        parameters: {
          UserPoolId: userPool.ref
        },
        physicalResourceId: PhysicalResourceId.of(`ClientId-${applicationPrefix}`)
      }
    });
    userPoolClients.node.addDependency(esDomain);

    const clientId = userPoolClients.getResponseField('UserPoolClients.0.ClientId');
    const providerName = `cognito-idp.${this.region}.amazonaws.com/${userPool.ref}:${clientId}`

Is there another way how I can get it ?

Proposed Solution

No response

Other Information

No response

Acknowledgements

CDK version used

1.147.0

Environment details (OS name and version, etc.)

Windows 11

peterwoodworth commented 2 years ago

Are you familiar with how exactly the app client is getting created @zordark? (i.e. in cloudformation? and where) some example code would help me to figure out exactly what your use case is 🙂

zordark commented 2 years ago

Are you familiar with how exactly the app client is getting created @zordark? (i.e. in cloudformation? and where) some example code would help me to figure out exactly what your use case is 🙂

I've provided a link to the complete sample in request. sample

peterwoodworth commented 2 years ago

So, an array of UserPoolClientDescription are returned by listUserPoolClients.

There are a couple ways you could filter out the data such that you choose the right client. You could create a list of client ids that the user pool has just before deployment, perhaps with the same API call - and then once the app client has been created by the service you run the call again and check for the new id.

Or, if you know the name of the client that gets created, you could look for that too. I don't know what the name is - but it could possibly be consistent & predictable - do you know?

peterwoodworth commented 2 years ago

Else, I don't think there's a way to retrieve this. CloudFormation doesn't offer us any way to retrieve it through their resources from what I can tell - and I'm not familiar with any other API calls which would be better for getting the clients associated with your user pool

github-actions[bot] commented 2 years ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

zordark commented 2 years ago

There are a couple ways you could filter out the data such that you choose the right client. You could create a list of client ids that the user pool has just before deployment, perhaps with the same API call - and then once the app client has been created by the service you run the call again and check for the new id.

I need to check will it works or not. Just for clarification - is onCreate called on usetPool creation or userPoolClient creation?

Or, if you know the name of the client that gets created, you could look for that too. I don't know what the name is - but it could possibly be consistent & predictable - do you know?

The user pool client will be created automatically by ES, so I don't know the name. Probably I can search by substring with ES domain name, but I'm not sure how.

peterwoodworth commented 2 years ago

onCreate is called when the custom resource is created.

To me this seems like something that should be natively supported by CloudFormation. I think it's reasonable to access the generated app client id as an attribute of the service. If you're interested in seeing this feature, please create an issue on the CloudFormation Coverage Roadmap 🙂

movingelectrons commented 10 months ago

wait a minute here. so we are expected to write a cloudformation template, can generate a userpool from the command line, but then have to log into the stupid website and click around for the stupid app_client_id ? Ugh I was begning to actually enjoy using the aws cdk but now I'm not. I really don't like being required to use the aws website its more annoying than your grandma.