Adding Cognito authentication to AWS DevOps Agent

Original Blogs

AWS DevOps AgentにCognito認証を追加する

One of the benefits of AWS DevOps Agent is that it allows you to separate the AWS console from the console for AWS DevOps Agent. This eliminates the need for operations personnel to log in to the AWS console, preventing unexpected resource deletion.

However, there are security concerns when sharing the console URL for AWS DevOps Agent. Although it is difficult to guess because the domain name contains random characters, it is recommended to add at least some authentication functionality as a security measure.

In this article, we will implement a method to control access to the console for AWS DevOps Agent using Cognito authentication.

Notes

The official documentation recommends using the IAM Identity Center for authentication. If you cannot use the IAM Identity Center in the US (Northern Virginia) region, please use this procedure.

Target Audience

• Those using the AWS DevOps Agent
• Those who want to implement an authentication mechanism for practical use

Leaning Outcome

• Cognito can be used instead if IAM Identity Center is not available.
• Because Cognito makes it difficult to provide fine-grained permission control, we recommend using IAM Identity Center.

Preparation for implementation

• Have an AWS account

Open AWS DevOps Agent Space

• Open the AWS Management Console
• Make sure your region is set to US (N. Virginia)
• Type AWS DevOps Agent in the search box
• Click AWS DevOps Agent in the search results

• The AWS DevOps Agent menu screen will appear.
• Click the "Create Agent Space" button in the upper right corner of the screen.

• Enter a name for your Agent Space in the Name and Description fields.
• Leave all other fields as default.
• Scroll to the bottom and click the Create button.

• After a few minutes, the AWS DevOps Agent will be created.
• Click the Operator Access button.

• The AWS DevOps Agent console screen will be displayed.
• Copy and paste the URL into a text file.

Prepare Cognito for AWS DevOps Agent

• Return to the AWS console screen
• Type Cognito in the search box
• Click Cognito in the search results

• Click the hamburger menu on the left to display the menu.
• Click User Pool.

• Click the Create User Pool button

• Enter a name for the application

• Set the following options:
• Sign-in Identifier Option: Email Address
• Self-Registration: Unchecked
• Required Sign-in Attribute: Email Address

• Paste the AWS DevOps Agent URL you copied earlier into the return URL.
• Click the button to create a user directory.

• Click User Pools in the left menu.
• Click the user pool you just created.

• Click on Users in the left menu

• Click the "Create User" button
• Enter the following information:
• Email Address: Your preferred email address
• Temporary Password: Your preferred password
• Password: Your preferred password
• After entering the information, click the "Create User" button.

Login test

• Click "Application Client" in the left menu.
• Click the application you created.

• Click the "Login Page" tab
• Click the "Show Login Page" button

• Enter the email address of the user you just created

• If a password is required, enter it

• You will be asked to change your password, so enter a suitable password.

• After logging in, you will be redirected to the AWS DevOps Agent screen.

Impressions

I was able to add authentication functionality to AWS DevOps Agent with Cognito without using IAM Identity Center. However, since accounts are managed by Cognito, user management can become complicated.

It's sufficient if you require minimal authentication functionality, but if you want to control permissions more precisely for each operator, we recommend using the IAM Identity Center. Currently, AWS DevOps Agent is a preview service, so it only supports the IAM Identity Center in the US (Northern Virginia) region. We expect support for other regions will follow when it becomes generally available.

The implementation itself is relatively simple, so if you are considering strengthening the security of your AWS DevOps Agent, give it a try.

Additional Note

If you are using IAM Identity Center management, you will lose access to the AWS DevOps Agent if your session expires. Session management is a topic for future consideration.