Blog

Viewing posts from July, 2017

AWS Cognito setup to work with AWS s3 identity based uploads

1. In AWS S3 console:
    Set CORS as below to your bucket.
<?xml version="1.0" encoding="UTF-8"?>
  <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
            <CORSRule>
                <AllowedOrigin>*</AllowedOrigin>
                <AllowedMethod>POST</AllowedMethod>
                <AllowedMethod>GET</AllowedMethod>
                <AllowedMethod>PUT</AllowedMethod>
                <AllowedMethod>DELETE</AllowedMethod>
                <AllowedMethod>HEAD</AllowedMethod>
                <AllowedHeader>*</AllowedHeader>
            </CORSRule>
 </CORSConfiguration>
2. In Cognito Console Set User Pool:
Manage User Pools > Custom settings > Name Pool "TestPool" > "sign themselves up?" only administrator > No verification (nor email nor phone) > App clients > Add an app client > "TestPoolApp" > check "generate client secret" > Note down pool id and ARN , App client id and app client secret.
3. In Cognito Console Set Federated Identities:
Click on "Federated Identities" > Name "Identity pool name" > In "Authentication providers" > "cognito" tab > Set details of prev step. > "Custom" tab set developer name. > Create > Edit your `Auth_Role` > Set following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<yourbucketname>/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
Note : With this user can upload files to only directory key named with its identity id.

4. Get ARN of above auth rule and also Note down identity pool id.

Now you can create api that can return identity id and token so client sdk can upload to s3 directly.

AWS Code Deploy and Pipeline with github integration guide

1. In your EC2 instance ( Ubuntu 16.04 ):
sudo apt-get update
sudo apt-get install python-pip ruby wget
cd /home/ubuntu
wget https://aws-codedeploy-<<bucket-region>>.s3.amazonaws.com/latest/install
chmod +x ./install
sudo ./install auto
sudo service codedeploy-agent start
sudo systemctl enable codedeploy-agent
2. Create Tag in your EC2.
Select Instance > Tags tab
3. IAM Roles
- Create role > From AWS Service Role > Select "AWS CodeDeploy" > Name it "codedeploy_service_role"
- Again Open that "codedeploy_service_role" and Attach policies > "AWSCodePipelineFullAccess"
4. IAM Policy
- Create Policy > "Create Your Own Policy" > Name it "CodeDeployEC2" >
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
- Save it.
5. IAM (For EC2)
- Create Role > From AWS Service Role > Select "Amazon EC2" > From policies search above and select it > Name it "EC2CodeDeployRole"
6. EC2
- Select Instance > Action > Instance Settings > Attach Replace IAM Roles > Select "EC2CodeDeployRole"
7. appspec.yml  file in your repo root

- This file contains your before deploy (ex git clone, pull) and after deploy (running db migrations, restart server) bash scripts locations. so create them. and push to your deploy branch.


8. Code Deploy console
- Select "Custom deployment" > Provide Application Name and group name > Select "In-place deployment" > Select your EC2 tag that created earlier > Select "OneAtTime" configuration > Select "codedeploy_service_role" in Service Role > Create.
9.  Code pipeline console
- Name it > Source Location > Github > Connect it (will need org permission) and you must be owner of repo > Select repo > deploy branch > In Build provider "No build" > In Deployment provider "AWS CodeDeploy" > Select app name and deploy group name created in prev step > In AWS Service Role "Create New Role" > Create Pipeline


Hope this step by step guide helps !!

Custom PostGreSql version ( 9.6 ) pg_dump and restore from and to remote host

Backup PostgreSQL Remote DB:

SSL / TLS setup of RapidSSL certificate with Nginx on Ubuntu server

Here is guide to setup SSL / TLS in Nginx ubuntu instance:

- Generate Pvt key
    openssl genrsa -out /home/ubuntu/something_com_pvt.key 2048

- Generate CSR from pvt key
    openssl req -new -key /home/ubuntu/something_com_pvt.key -out /home/ubuntu/something_com_.csr

- Submit above CSR To SSL Provider, RapidSSL in our case.
- Download x.509 type certificates
- Combine intermediate and ssl certificate name it "ssl_final.cer" put it in /home/ubuntu/

- Execute following :
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

- put in nginx conf server block :
    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

- In /etc/nginx/snippets

    self-signed.conf content

    ssl_certificate /home/ubuntu/ssl_final.cer;
    ssl_certificate_key /home/ubuntu/something_com_pvt.key;

    ssl-params.conf content

    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    # https://cipherli.st/
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve prime256v1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;


Restart Nginx. Thats It!