Reference implementation of an Amazon AppStream entitlement service.
The Amazon AppStream Sample (Developer) Entitlement Service, a.k.a 'DES', has the following features:
-
applications and subscriptions management
-
streaming sessions management
-
third-party authentication integration
The stack is deployed with CloudFormation and deploys:
-
the DES service API and task runners on EC2
-
a web application portal for access in the browser
-
a CloudFront distribution to front both (1) and (2)
Amazon DynamoDB is used for data storage. Amazon Cognito is used for authentication.
A CloudFormation template configures IAM, EC2, DynamoDB, and CloudFront.
See the README.md files in subdirectories of this repository for more documentation.
The following are instructions for running and deploying the Amazon AppStream Sample Entitlement Service (DES) in your account using packages built from this repository.
There are two prerequisite steps:
-
obtain a Login With Amazon Client ID, and
-
create an Amazon Cognito Developer Identity Pool connected to (1)
The identifiers and tokens obtained by doing the above will be used when deploying DES with CloudFormation.
These authentication setup is necessary so that an Administrator can login to DES using Login with Amazon as third-party authentication.
- Follow the instructions here to register a Login with Amazon Application
(Note: you may only need to follow Step 1 to register an application and obtain a Client ID)
-
Make sure you obtain a Amazon Client ID here
- Note the Login with Amazon Client ID (1)
You will need to create a Amazon Cognito Identity Pool and associate your Login with Amazon application Client ID with it.
(Note: See here for more on Developer Authenticated Identities.)
-
Click on "Create new Identity Pool"
-
Input an "Identity Pool Name" like "DESUsers"
-
Under "Unauthenticated identities" select "Enable access to unauthenticated identities"
-
Under the "Amazon" tab of "Public identity providers" input your:
- Amazon App ID (1)
-
Under "Custom" tab of "Public identity providers" input a name like 'login.mycompany.myapp'
(Note this name for later input for the parameter CognitoDeveloperProviderName (2))
-
Click 'Create Pool'
-
Choose 'Don't Allow' when prompted to choose Roles.
(Note: the roles will be created by CloudFormation and later associated with the Cognito Identity Pool)
-
Click on 'Edit identity pool' at the top right.
(Note the 'Identity pool ID' for input later for the parameter CognitoIdentityPoolId (3))
You can launch the DES application(s) and infrastructure with AWS CloudFormation.
- Use this link to open the CloudFormation template directly in the AWS Managment Console:
Open the DES CloudFormation template in the AWS Management Console
-
Click Next
-
Input the Login with Amazon Client ID in the Parameters for the stack:
LoginWithAmazonOAuthClientId (1) (e.g.: amzn1.application.xxxxxxxxxxxxxxxxxxxxxxxx)
-
Input the following two identifers in the Parameters for the stack:
CognitoDeveloperProviderName (2) (e.g.: 'login.mycompany.myapp')
CognitoIdentityPoolId (3) (e.g.: 'us-east-1:d10f9dbd-b4c5-466c-8a5b-e70ebbb846b9')
-
Input the EC2 Key Pair name and an administrator user's email:
KeyName (Note: the keypair must already exist in the same region: 'us-east-1')
AdministratorUserEmail (Note: The email you willl use to login to the application with Login with Amazon)
-
Click Next
-
Click Next on the 'Options' step
-
In the 'Review' step select "I acknowledge that this template might cause AWS CloudFormation to create IAM resources."
-
Click Create
-
When the Stack reaches the CREATE_COMPLETE state ...
-
Navigate to the Outputs for the Stack
-
Navigate to the Amazon Cognito service in the AWS Management Portal.
-
Navigate to the details of the identity pool.
-
Click on 'Edit Identity Pool'.
-
Click on 'Select a role ...' for 'Anauthenticated role'.
-
Select the ID that is shown for the 'CognitoUnauthenticatedRoleId' output of your stack.
e.g.: 'sample-appstream-entitlem-CognitoUnauthenticatedRo-1CD6XQATND48I'
-
Click on 'Select a role ...' for 'Authenticated role'.
-
Select the ID that is shown for the 'CognitoAuthenticatedRoleId' output of your stack.
e.g.: 'sample-appstream-entitlement-service-CognitoRole-HSY4CW8R8C1L'
-
Click on 'Save Changes'
You must register your endpoint URI with your third-party authentication provider(s) to allow authentications to succeed.
-
Navigate to Login with Amazon
-
Under 'Web Settings' for your application click 'Edit'
-
Input the URL value of the WebPortalEndpointURL output of your CloudFormation stack under 'Allowed JavaScript Origins'
-
Click 'Save'
-
Navigage to the URL value of the WebPortalEndpointURL output of your CloudFormation stack + /admin.html. e.g.:
<WebPortalEndpointURL>/admin.html
i.e.: https://123450123456789.cloudfront.net/admin.html
You can login with the email you used as input to the CloudFormation stack parameter AdministratorUserEmail.
A Cognito user was setup for that email and you can use the Login with Amazon to authenticate!
The customer endponit is at:
<WebPortalEndpointURL>/