Using DynamoDB and Web Identity Federation

Scenario

Let’s say you are developing a game application or any other web application on AWS public cloud platform that uses DynamoDB for storing all application related data. Now, if your application is expected to have thousands of users, then it will not be viable for you to create IAM user and then provide these users access to the tables in Dynamo DB for storing application related data, like their score in case of a game or shopping cart etc. The solution to this scenario is to use Web Identity Federation, which will leverage user’s existing accounts on Google, Facebook or any other identity provider, to provide temporary access to the Dynamo DB data.

Let’s look into an example of how to make configurations for this.

DynamoDB Configurations

Create a DynamoDB table and call it "Score."

1. Create Partition key and a Sort key. Complete creation of the table.
2. Go to "Access control" and select ‘Facebook’ as the identity provider or any other as per your requirement.
3. Select the "Actions" that you want to allow your users to perform.
4. Select the "Attributes" that you want your users to have access to.
5. Select Create policy and copy the code generated in the policy panel. See the snapshot below.

IAM Configurations

1. Go to IAM console and select “Create Policy." Under the JSON tab, paste the code that you copied in step 6 of above section i.e. DynamoDB Configurations. Move to the next page.

1. Give the policy a name, for example, ‘DynamoDB-Policy’ and complete the policy creation process.
2. Now, create a new role.
3. Select Web Identity as the Trusted Identity of your role.
4. Select "Facebook" as the Identity Provider and enter the applications ID that you retrieved from your Facebook development account.

1. Go to "Next: Permissions" screen and search for the policy you just created. Type in your policy name, for example, "DynamoDB-Policy," in this case, and select it and move to the next step.
2. Provide the role a name and description.

Conclusion

One this setup is in place, you can start developing your application that uses social media identity providers like Facebook in this example to authenticate and authorize your users. You also have the option to use Amazon Cognito that is the best fit for quickly and easily managing your users coming through third party identity providers.