Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cerbos/python-cognito-cerbos

Last synced: about 2 months ago
JSON representation

Host: GitHub
URL: https://github.com/cerbos/python-cognito-cerbos
Owner: cerbos
Created: 2022-04-28T10:32:04.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-07-08T04:38:50.000Z (6 months ago)
Last Synced: 2024-07-08T05:47:24.633Z (6 months ago)
Language: Python
Size: 493 KB
Stars: 4
Watchers: 5
Forks: 2
Open Issues: 2
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

Python + AWS Cognito + Cerbos Demo

An example application of integrating [Cerbos](https://cerbos.dev) with a [FastAPI](https://fastapi.tiangolo.com/) server using [AWS Cognito](https://aws.amazon.com/cognito/) for authentication.

Sequence Diagram

![AWS_Cerbos_Demo](python-cognito-demo.png)

## Dependencies

- Python 3.10
- Docker for running the [Cerbos Policy Decision Point (PDP)](https://docs.cerbos.dev/cerbos/latest/installation/container.html)
- A configured AWS Cognito User Pool ([set-up guide](https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-with-cognito-user-pools.html))

## Getting Started

1. Start up the Cerbos PDP instance docker container. This will be called by the FastAPI app to check authorization.

```bash
cd cerbos
./start.sh
```

2. Install python dependencies

```bash
# from project root
./pw install
```

3. Set the appropriate environment variables

```bash
AWS_COGNITO_POOL_ID
AWS_COGNITO_CLIENT_ID
AWS_DEFAULT_REGION
AWS_COGNITO_POOL_NAME

# if you've configured your user pool with a client secret
AWS_COGNITO_CLIENT_SECRET

# optionally, to enable the hosted UI:
AWS_COGNITO_HOSTED_UI_CALLBACK_URL # this needs to match the callback URL configured for the hosted UI
AWS_COGNITO_HOSTED_UI_LOGOUT_URL
```

4. Start the FastAPI dev server

```bash
./pw demo
```

## Cognito Configuration

### Groups

This demo maps Cognito User Pool groups to Cerbos roles. The app will retrieve the groups from the access token, and use them to determine authorization.

Any test users in your pool should be added to one or both of `admin` and/or `user` groups to demonstrate different access to the demo resources.

## Policies

This example has a simple CRUD policy in place for a resource kind of `contact` - like a CRM system would have. The policy file can be found in the `cerbos/policies` folder [here](https://github.com/cerbos/python-cognito-cerbos/blob/main/cerbos/policies/contact.yaml).

Should you wish to experiment with this policy, you can try it in the Cerbos Playground.

The policy expects one of two roles to be set on the principal - `admin` and `user`. These roles are authorized as follows:

| Action | User | Admin |
| ------ | -------- | ----- |
| list | Y | Y |
| read | Y | Y |
| create | Y | Y |
| update | If owner | Y |
| delete | If owner | Y |