Skip to content

aws-samples/s3-access-grants-workshop

S3 Access Grants Web Application

This application is part of the S3 Access Grants Workshop. This app demonstrate how to integrate Identity Center with customer applications and allow access to S3 based on federated user identities

Authors

Rafael Koike - Principal Solutions Architect - AWS
Vaibhav Sabharwal - Senior Solutions Architect - AWS

Requirements

  • Azure account (folder frontend-entra_id)
    • Azure Entra ID
      • Enterprise App with AWS Identity Center
      • Application to use in this React Sample App
  • Okta account (folder frontend-okta)
  • AWS Account
    • Identity Center (Can be at Org level or account level)
    • S3 Bucket and objects
    • S3 Access Grants Instance, Location and Grants
    • IAM Role to set up the Sample Web App and S3 Access Grants Location
  • Node v18 or higher with NPM
    • Microsoft MSAL library
  • AWS CDK
  • Python 3.9 or higher (To build and deploy the lambda functions)
    • venv

Deploy

Set up your AWS Identity Center Choose to integrate with Entra ID or Okta and set up the SCIM between your IdP and Identity Center Install the libraries npm install

You will need the following information to build the frontend:

  • Audience
  • Issuer URL
  • Redirect URI
  • API Gateway endpoint (only created after deploying the CDK stack) Update the file config.js in the src folder of the frontend.

Note: You should build an initial package with some dummy API Gateway URL. Later you can come back and put the correct URL and build the package.

Initialize CDK

python -m ensurepip --upgrade
python -m pip install --upgrade pip
python -m pip install --upgrade virtualenv

Deploy CDK bootstrap

Run the following command to deploy the CDK bootstrap

cdk bootstrap

Deploy the CDK application

This CDK stack can run with Entra ID or Okta. To select the correct front end, set the environment variable: IDP_VENDOR=okta|entra_id

An example to invoke CDK Deploy and deploy Okta front end.

IDP_VENDOR=okta cdk deploy This will set the env var just for the command invoked and deploy the correct front-end

The output of the CDK deploy contain outputs that will be used to update the config.js for the front end and config.py for the backend For the config.py backend you will need the following information:

  • Audience
  • Identity Store ID (You can grab this information from Identity Center)
  • Token Exchange App ARN (You must get this information from Identity Center Trusted identity propagation)
  • Transient Role ARN (This Role is generated by the CDK stack. Deploy and update later)
  • JWKS url (This URL is where the lambda function can download the public keys from the IdP)
  • Username Attribute (used to map the IdP token attribute to Identity Center attribute)
    • For Entra ID, it is normally the preferred_username
    • For Okta, it is normally sub

Because of the Transient Role ARN, you need to deploy the CDK and grab the role ARN and change the cdk/lambda/config.py file After that, you can redeploy the application and test The Cloudfront distribution URL should be used later to update your IdP Signin redirect URL

Version Log

0.0.1 - 04/18/2024 - Initial version