v
Building Mobile and Web Apps using the AWS Mobile and Javascript SDKs Parijat Mishra | Solutions Architect | Amazon Web Services [email protected]
v
In this session, we’ll be creating Android apps to demonstrate various features of AWS
v
How do we build mobile apps today?
v
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time data Track Retention
Send push notifications
Manage users and identity providers
Securely access cloud resources
Sync user prefs across devices
Track active users, engagement
Manage funnels, Campaign performances
Store user-generated photos Media and share them
Automatically detect mobile devices Deliver content quickly globally
Bring users back to your app by sending messages reliably
Store and query fast NoSQL data across users and devices
Collect real-time clickstream logs and take actions quickly
Your Mobile
App
Your mobile application
v
Introducing AWS Mobile Services
Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push
Kinesis Connector DynamoDB Connector S3 Connector SQS Connector SES Connector
AWS Global Infrastructure (11 Regions, 28 Availability Zones, 52 Edge Locations)
Core Building Block Services
Mobile Optimized Connectors
Mobile Optimized Services
Your Mobile App, Game or Device App
AWS Mobile SDK, API Endpoints, Management Console
Compute Storage Networking Analytics Databases
Integrated SDK
v Fully integrated AWS mobile SDK
Cross-platform,
optimized for mobile
Automatically handles intermittent and latent
network
AWS Mobile SDK
Reduced memory footprint Common authentication method across all services
v
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time data Track Retention
Send push notifications
Manage users and identity providers
Securely access cloud resources
Sync user prefs across devices
Track active users, engagement
Manage funnels, Campaign performances
Store user-generated photos Media and share them
Automatically detect mobile devices Deliver content quickly globally
Bring users back to your app by sending messages reliably
Store and query fast NoSQL data across users and devices
Collect real-time clickstream logs and take actions quickly
Your Mobile
App
Your mobile application
v
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time data Track Retention
Send push notifications
Amazon Cognito (Identity broker)
AWS Identity and Access Management
Amazon Cognito (Sync)
Amazon Mobile Analytics
Amazon Mobile Analytics
Amazon S3 Transfer Manager
Amazon CloudFront (Device Detection)
Amazon SNS Mobile Push
Amazon DynamoDB (Object Mapper)
Amazon Kinesis (Recorder)
Your mobile application
with the AWS Mobile SDK
v Let’s build a Media App!
What should it do?
v
Our Media App’s wish-list of features q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
v
• Goals: • User is anonymous – we don’t care who they are, treat them as ‘Public’ or ‘Guest’
• Directly access AWS Simple Storage Service (S3) from the mobile application
• We do not want to upload to a server and then have the server push the file to S3…
• Requirements: • We need to authenticate the application on the mobile device
• We do not want to bake the AWS credentials in our mobile app!
• Even though users are anonymous, we still want to control access to AWS
First App: Basic Download/Upload App
v
Mobile App
S3 Bucket with test media
Cognito Identity
First App: Basic Download/Upload App
v
Amazon Cognito
Granting ‘guest’ access to our ‘Public’ users for controlled access to AWS resources
v
Cognito Identity Example Cognito Identity for Guests Cognito assigns a unique identifier for each device when a user is not logged on
Cognito Identity for Authenticated Users Cognito assigns a unique identifier for each user when they are authenticated. This will be the same identifier for this user regardless of which device they use
v
Cognito setup
v
Create a new Cognito Identity Pool
v
Create a new Cognito Identity Pool
Supplying public identity providers is optional For this demo, we will not be supporting public identity providers, so we leave them empty
v
Create a new Cognito Identity Pool
Enable guest access For this demo, we will allow ‘anonymous access’ so that unauthenticated users can upload and download from our S3 bucket
v
Create a new Cognito Identity Pool
Create IAM Roles Create IAM roles for this Cognito Identity Pool. We will assign tight security controls to these roles later
v
Create a new Cognito Identity Pool
And assign a role for unauthenticated access
v
Create a new Cognito Identity Pool
Starter code samples Cognito conveniently provides starter code for you for Android, iOS and .Net! This is an example of how you can easily connect your app to Cognito
v
Setup the required permissions in IAM
v
Setup the required permissions in IAM
Note the default policy
v
Setup the required permissions in IAM
Default policy created by Cognito By default, access to Cognito Sync and Mobile Analytics is permitted. This policy has been generated by the Cognito Create Identity Pool wizard
v
Media in our S3 bucket S3 Bucket contents Test file that we will be downloading via the TransferManager S3 connector
v
S3 Bucket ACLs Note that the ACLs on the bucket do not permit ‘Public’ so the asset is not world-accessible
Media in our S3 bucket
v
Let’s give the anonymous ‘guest’ access to our S3 bucket for read and write
v
Setup the required permissions in IAM
Use the Policy Generator We’ll create our specific S3-related policy using the Policy Generator
v
Setup the required permissions in IAM
Specify our bucket Our policy will specify access for our specific bucket. We’ll allow GetObject and PutObject
v
Setup the required permissions in IAM
Resulting Policy Document Here’s what the resulting policy looks like for allowing READ access to any object in the specific bucket, and the ability to WRITE any object
v
We’re now set up – let’s start coding!
v
Instantiate Cognito Credentials Provider
Give Cognito your details • Account Id
• Identity Pool ARN
• UnAuthenticated access Role ARN
• Authenticated access Role ARN
• The Region you are running Cognito in
v
Implementation Note! This ‘Cognito’ class is just my convenience wrapper! I have chosen to implement this as a Singleton at App-scope
Your implementation may be different The only important thing is that you instantiate a CognitoCachingCredentialsProvider
v
S3 Connector
• Multipart upload media (photos, videos, audio)
• Fault tolerant download (e.g. assets)
• No backend required
• Automatic retries
• Pause, resume, cancel functions
• Optimized for native OS
Amazon S3 Connector: Transfer Manager
v
Pass Cognito Credentials to the AWS S3 Transfer Manager constructor
Pass the Cognito Provider to the TransferManager S3 connector to construct based on the Cognito-acquired AWS credentials
v
Set up the download request and go!
Initiate the download
v
Demo App
First, the Application instantiates a CognitoCachingCredentialsProvider()
Then initiates a download, followed by an upload
v
Our Media App’s wish-list of features q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
q Convert uploaded video files to various mobile/web formats
v
Amazon Cognito
Now let’s authenticate our users via public identity providers
v
• Goals: • User can be anonymous or they can choose to sign-in via Facebook
• If they are anonymous, we let them see a ‘Public’ view of the media library
• If they choose to sign-in, we let them see their own ‘Private’ view of the library
• Requirements: • We will use Cognito to help with the Public and Private authentication
• Again, no AWS credentials in our mobile app!
• We want to enforce Fine-Grained Access Control on the database views
Implement Public & Private views
v
User ID (Temp
Credentials)
DynamoDB
End Users
Developer
App w/SDK Access
to AWS Services
Cognito Identity Broker
Login OAUTH/OpenID Access Token
Cognito ID, Temp
Credentials
S3
Mobile Analytics
Cognito Sync Store
AWS Management
Console
Access Token Pool ID
Role ARNs
Amazon Cognito Security Architecture
v
Raw DynamoDB records example
Range Key Each OwnerId has multiple Filenames
Hash Key Each OwnerId identifies a user by their Cognito identity, or ‘public’ if they didn’t log on to Facebook
v
Raw DynamoDB records example
Inventory is partitioned based on the OwnerId ‘public’ is accessible to the ‘guest’ Cognito Identity Anything else must match the identity of the user accessing the application
Assigned by Cognito automatically
v
Use the DynamoDB Mapper
Use the DynamoDB Mapper annotations to decorate your value object Specify the HashKey, RangeKey and the individual Attributes in your value object that should map to columns in the DynamoDB table
v
For this demo, we’ll use Facebook as our Public Identity Provider
v
Mobile App
DynamoDB
Implement Public & Private views
OAUTH/OpenID Access Token
Cognito Identity Broker
Cognito ID, Temp
Credentials
Query for results filtered by OwnerId
v
• Great how-to https://developers.facebook.com/docs/android/getting-started
Using Facebook in your App
v
Create an App on Facebook
v
Create an App on Facebook
v
Create an App on Facebook
Cognito needs the App ID The App ID from Facebook is what binds the Identity Pool to the Facebook application
v
Configure Cognito to use Facebook
v
Add an Android application to FB
v
Add an Android application to FB
v
Add an Android application to FB
Generate your signing hash from your development environment – check the documentation…
v
We’re now set up – let’s start coding!
v
Secure access to DynamoDB
Simply instantiate the AmazonDynamoDBClient and specify your Cognito provider as the credential provider in the constructor
v
Querying the DynamoDB table from code
Querying the DynamoDB table is simple! The DynamoDB Mapper will map the columns in the table to the fields in your value object and return a typed list of records ready to iterate
v
Demo App
Guest access
• Connects to Cognito as anonymous user
• Gets AWS token and uses that to instantiate a DynamoDB client
• Queries DynamoDB using the key ‘public’
Authenticated access
• Gets token from Facebook
• Passes token to Cognito
• Impersonates authenticated user
• Queries DynamoDB using the key that matches the Cognito Identity of this user
v
Raw DynamoDB records example
Inventory is partitioned based on the OwnerId ‘public’ is accessible to the ‘guest’ Cognito Identity Anything else must match the identity of the user accessing the application
v
FGAC on DynamoDB using IAM Fine-Grained Access Control (FGAC)
• Restrict which Actions can be called by the user
• Restrict which DynamoDB Tables can be accessed by the user
• Restrict which rows in the table are accessible by the user
• Control which fields are accessible in the query results
v
FGAC on DynamoDB using IAM
Control the actions the user can invoke
The “Unauthenticated” Role Policy
v
FGAC on DynamoDB using IAM
Control the DynamoDB Table the user can access
The “Unauthenticated” Role Policy
v
FGAC on DynamoDB using IAM
Restrict the Rows in the DynamoDB table the user can access
The “Unauthenticated” Role Policy
v
FGAC on DynamoDB using IAM
Use the Cognito Id for this user to restrict the rows that will be accessible to the user
The “Authenticated” Role Policy
v
Our Media App’s wish-list of features q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
q Convert uploaded video files to various mobile/web formats
v
Amazon SNS
Push Notifications
v Each platform works differently, and push gets even more complex as you scale to support millions of devices.
Cloud App
Platform Services Mobile Apps
SNS application targets
v
Amazon SNS Cross-platform
Mobile Push
Apple APNS
Google GCM
Amazon ADM
Windows WNS and MPNS
Baidu CP
With Amazon SNS, developers can send push notifications on multiple platforms and reach mobile users around the world
Android Phones and Tablets
Apple iPhones and iPads
Kindle Fire Devices
Android Phones and Tablets in China
Windows Desktop and Phones
SNS application targets
Your applicationback-end
v
• Goals: • Application automatically registers with Google Cloud Messaging (GCM)
• The device registration Id is then sent to SNS to register as a device endpoint
• The application then subscribes that device endpoint to a well-known SNS topic
This topic is shared by all other devices using the application
• The application then confirms SNS Push Notifications are working by sending
a message to itself via SNS. The user sees a pop-up message.
• Later, whenever a message is sent to the shared SNS Topic,
all devices subscribed receive a pop-up notification
Next App: SNS Push Notification App
v
Mobile App
Next App: SNS Push Notification App
SNS Topic
SNS Application
ENDPOINT APP
TOPIC
Cognito
Create Platform Endpoint
Subscribe to topic
Publish test message to our
Endpoint
Push notification from GCM
SNS
v
Setup Amazon SNS
v
On the SNS Dashboard, create a new Topic
v
On the SNS Dashboard, create a new Topic
v
Note the Topic’s ARN We will need this in our code to subscribe the device to the topic so we can receive notifications
On the SNS Dashboard, create a new Topic
v
Create a Google API Project and obtain the Google Project ID
v
Enable GCM for Android
v
Create the Server API Key
v
Obtain the Server API Key from Google
v
On the SNS Dashboard, create a new App
v
Specify the API Key you got from Google
v
Note the ARN for this SNS Application
v
We’re now set up – let’s start coding!
v
Instantiate Cognito Credentials Provider
Give Cognito your details • Account Id
• Identity Pool ARN
• UnAuthenticated access Role ARN
• Authenticated access Role ARN
• The Region you are running Cognito in
v
Again, this ‘Cognito’ class is just my convenience wrapper implemented as a Singleton
Instantiate SNS using Credentials from Cognito
v
Get the device registration ID from GCM
We’re requesting the device identifier/token for this unique device, against the Google Project Id we created earlier
v
And register this device with the SNS App
The ‘deviceIdentifier’ is the device token returned from GCM for this unique device
v
Finally, subscribe the endpoint to the Topic
The endpoint is the ARN you got back from the previous call to getEndpointArn()
v
Demo App
At startup, we register this device with the SNS Application
Then we subscribe this device Endpoint to the global SNS Topic
We then send a test message from the device to ourselves to confirm the round trip is working
If we subsequently publish to the global SNS Topic, all devices subscribed will be notified
v
Our Media App’s wish-list of features q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
v
How did we initiate the sending of the Push Notification to the
global SNS Topic?
But wait!
v
Demo web page to send Push Notifications
Plain old Javascript and HTML! The website is a standard HTML site with Javascript. It is being served from S3, so no back-end servers The magic comes from the AWS Javascript SDK
v
Demo web page to send Push Notifications
Topic ARN This is the topic we subscribed our application to when it started up
Cognito Role This is the IAM role we want to use – we’re using the unauthenticated ‘guest’ role in this demo
Cognito Identity Pool ID This is the specific Cognito pool we want to use for authentication
v
Demo web page to send Push Notifications
v
Demo web page to send Push Notifications
v
Our Media App’s wish-list of features q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
v
Amazon Cognito
Sharing data between devices
v • Goals:
• User is authenticated with Facebook
• Each time they modify gadgets in the app, the state of the gadgets is synchronized with all other devices using the application (for that user account)
• Verify these shared data changes in a companion web page, where the user is also authenticated with Facebook, and is the same user principal
Next App: Shared application data
v
Add a Web application to FB
v
Add a Web application to FB
S3 bucket name We’re using S3 to serve the web site in this example, but you can use CloudFront, or EC2, or use a CNAME
v
Javascript code to read Cognito Sync Data
Instantiate the CognitoSync object It will inherit the Cognito credentials from those we obtained earlier from our call to CognitoIdentityCredentials()
v
Javascript code to read Cognito Sync Data
Specify our parameters We need to specify the DatasetName that we want to connect to, and the Cognito Identity information as shown
v
Javascript code to read Cognito Sync Data
Call CognitoSync::listRecords() …and provide our params and a callback
v
Javascript code to read Cognito Sync Data
OnSuccess() …iterate the results and do something interesting with the data records
v
Demo App Web Page The web page has access to the shared data when authenticated as the Facebook User
Mobile application
…and the mobile application has access to
the same shared data if the user is logged on to Facebook as the same
user
v
Our Media App’s wish-list of features q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
q Convert uploaded video files to various mobile/web formats
v
We covered a lot of ground in this deep-dive session!
v Amazon Cognito
Amazon SNS Mobile Push
DynamoDB Connector
S3 Connector
SQS Connector
User identity & data synchronization service
Store any NoSQL data and also map mobile OS specific objects to DynamoDB tables
Powerful Cross-platform Push notification service
Easily upload, download to S3 and also pause, resume, and cancel these operations
Access distributed buffering and queuing service
AWS Mobile Services
v Amazon S3
Amazon Elastic Transcode Service
Amazon CloudFront
Amazon Elastic Beanstalk
Amazon Identity and Access Management
Online file storage web service
Content Delivery Network (CDN)
Highly scalable, media transcoding in the cloud
Platform as a Service (PaaS)
Securely control access to AWS services and resources for your users
AWS Services & Features
v Fully integrated AWS mobile SDK
Cross-platform,
optimized for mobile
Automatically handles intermittent and latent
network
AWS Mobile SDK
Reduced memory footprint Common authentication method across all services
Online Labs | Training
Gain confidence and hands-‐on experience with AWS. Watch free
Instruc;onal Videos and explore Self-‐Paced Labs
Instructor Led Classes
Learn how to design, deploy and operate highly available, cost-‐effec;ve and
secure applica;ons on AWS in courses led by qualified AWS instructors
Validate your technical exper;se with AWS and use prac;ce exams
to help you prepare for AWS Cer;fica;on
AWS Cer9fica9on
h<p://aws.amazon.com/training
v
Thank You