Develop faster and smarter using cloud native SDK’s, services and orchestration tools. Embrace agile and automation techniques to improve quality and reduce risk, accelerate innovation.
1. v
Building Mobile and Web
Apps using the AWS Mobile
and Javascript SDKs
Parijat Mishra | Solutions Architect | Amazon Web Services
parijat@amazon.com
2. v
In this session, we’ll be creating Android apps
to demonstrate various features of AWS
4. v
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time dataTrack Retention
Send push notifications
Manage users and
identity providers
Securely access
cloud resources
Sync user prefs
across devices
Track active users,
engagement
Manage funnels,
Campaign performances
Store user-generated photos
Media and share them
Automatically detect mobile devices
Deliver content quickly globally
Bring users back to your app by sending
messages reliably
Store and query fast NoSQL data
across users and devices
Collect real-time clickstream
logs and take actions
quickly
Your
Mobile
App
Your mobile
application
5. v
Introducing AWS Mobile Services
Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push
Kinesis Connector DynamoDB Connector S3 Connector SQS Connector SES Connector
AWS Global Infrastructure (11 Regions, 28 Availability Zones, 52 Edge Locations)
Core Building Block
Services
Mobile Optimized
Connectors
Mobile Optimized
Services
Your Mobile App, Game or Device App
AWS Mobile SDK, API Endpoints, Management Console
Compute Storage Networking Analytics Databases
Integrated SDK
6. v
Fully integrated AWS
mobile SDK
Cross-platform,
optimized for mobile
Automatically handles
intermittent and latent
network
AWS Mobile SDK
Reduced memory footprint
Common authentication
method across all services
7. v
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time dataTrack Retention
Send push notifications
Manage users and
identity providers
Securely access
cloud resources
Sync user prefs
across devices
Track active users,
engagement
Manage funnels,
Campaign performances
Store user-generated photos
Media and share them
Automatically detect mobile devices
Deliver content quickly globally
Bring users back to your app by sending
messages reliably
Store and query fast NoSQL data
across users and devices
Collect real-time clickstream
logs and take actions
quickly
Your
Mobile
App
Your mobile
application
8. v
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time dataTrack Retention
Send push notifications
Amazon Cognito
(Identity broker)
AWS Identity and
Access Management
Amazon Cognito
(Sync)
Amazon Mobile
Analytics
Amazon Mobile
Analytics
Amazon S3
Transfer Manager
Amazon CloudFront
(Device Detection)
Amazon SNS
Mobile Push
Amazon DynamoDB
(Object Mapper)
Amazon Kinesis
(Recorder)
Your mobile
application
with the AWS
Mobile SDK
10. v
Our Media App’s wish-list of features
q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
11. v
• Goals:
• User is anonymous – we don’t care who they are, treat them as ‘Public’ or ‘Guest’
• Directly access AWS Simple Storage Service (S3) from the mobile application
• We do not want to upload to a server and then have the server push the file to S3…
• Requirements:
• We need to authenticate the application on the mobile device
• We do not want to bake the AWS credentials in our mobile app!
• Even though users are anonymous, we still want to control access to AWS
First App: Basic Download/Upload App
12. v
Mobile App
S3 Bucket with
test media
Cognito Identity
First App: Basic Download/Upload App
13. v
Amazon Cognito
Granting ‘guest’ access to our
‘Public’ users for controlled access to AWS resources
14. v
Cognito Identity Example
Cognito Identity for Guests
Cognito assigns a unique identifier for each
device when a user is not logged on
Cognito Identity for Authenticated Users
Cognito assigns a unique identifier for each user
when they are authenticated. This will be the
same identifier for this user regardless of which
device they use
17. v
Create a new Cognito Identity Pool
Supplying public identity
providers is optional
For this demo, we will not be
supporting public identity
providers, so we leave them empty
18. v
Create a new Cognito Identity Pool
Enable guest access
For this demo, we will allow ‘anonymous access’
so that unauthenticated users can upload and
download from our S3 bucket
19. v
Create a new Cognito Identity Pool
Create IAM Roles
Create IAM roles for
this Cognito Identity
Pool. We will assign
tight security controls
to these roles later
20. v
Create a new Cognito Identity Pool
And assign a role for
unauthenticated access
21. v
Create a new Cognito Identity Pool
Starter code samples
Cognito conveniently
provides starter code for you
for Android, iOS and .Net!
This is an example of how
you can easily connect your
app to Cognito
23. v
Setup the required permissions in IAM
Note the default policy
24. v
Setup the required permissions in IAM
Default policy created by
Cognito
By default, access to Cognito
Sync and Mobile Analytics is
permitted. This policy has been
generated by the Cognito Create
Identity Pool wizard
25. v
Media in our S3 bucket
S3 Bucket contents
Test file that we will be
downloading via the
TransferManager S3 connector
26. v
S3 Bucket ACLs
Note that the ACLs on the bucket
do not permit ‘Public’ so the asset
is not world-accessible
Media in our S3 bucket
27. v
Let’s give the anonymous ‘guest’ access to our
S3 bucket for read and write
28. v
Setup the required permissions in IAM
Use the Policy Generator
We’ll create our specific S3-
related policy using the Policy
Generator
29. v
Setup the required permissions in IAM
Specify our bucket
Our policy will specify access for
our specific bucket. We’ll allow
GetObject and PutObject
30. v
Setup the required permissions in IAM
Resulting Policy Document
Here’s what the resulting policy
looks like for allowing READ
access to any object in the
specific bucket, and the ability to
WRITE any object
32. v
Instantiate Cognito Credentials Provider
Give Cognito your details
• Account Id
• Identity Pool ARN
• UnAuthenticated access Role ARN
• Authenticated access Role ARN
• The Region you are running Cognito in
33. v
Implementation Note!
This ‘Cognito’ class is just
my convenience wrapper!
I have chosen to implement
this as a Singleton at
App-scope
Your implementation may
be different
The only important thing is
that you instantiate a
CognitoCachingCredentialsProvider
34. v
S3 Connector
• Multipart upload media (photos, videos, audio)
• Fault tolerant download (e.g. assets)
• No backend required
• Automatic retries
• Pause, resume, cancel functions
• Optimized for native OS
Amazon S3 Connector: Transfer Manager
35. v
Pass Cognito Credentials to the
AWS S3 Transfer Manager constructor
Pass the Cognito Provider to the TransferManager S3
connector to construct based on the Cognito-acquired
AWS credentials
36. v
Set up the download request and go!
Initiate the download
37. v
Demo App
First, the Application instantiates a
CognitoCachingCredentialsProvider()
Then initiates a download, followed by an upload
38. v
Our Media App’s wish-list of features
q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
q Convert uploaded video files to various mobile/web formats
40. v
• Goals:
• User can be anonymous or they can choose to sign-in via Facebook
• If they are anonymous, we let them see a ‘Public’ view of the media library
• If they choose to sign-in, we let them see their own ‘Private’ view of the library
• Requirements:
• We will use Cognito to help with the Public and Private authentication
• Again, no AWS credentials in our mobile app!
• We want to enforce Fine-Grained Access Control on the database views
Implement Public & Private views
41. v
User ID
(Temp
Credentials)
DynamoDB
End Users
Developer
App w/SDK
Access
to AWS Services
Cognito Identity
Broker
Login OAUTH/OpenID
Access Token
Cognito ID,
Temp
Credentials
S3
Mobile Analytics
Cognito Sync
Store
AWS
Management
Console
Access Token
Pool ID
Role ARNs
Amazon Cognito Security Architecture
42. v
Raw DynamoDB records example
Range Key
Each OwnerId
has multiple
Filenames
Hash Key
Each OwnerId
identifies a user by
their Cognito identity,
or ‘public’ if they didn’t
log on to Facebook
43. v
Raw DynamoDB records example
Inventory is partitioned
based on the OwnerId
‘public’ is accessible
to the ‘guest’
Cognito Identity
Anything else must
match the identity of
the user accessing
the application
Assigned by
Cognito
automatically
44. v
Use the DynamoDB Mapper
Use the DynamoDB Mapper
annotations to decorate
your value object
Specify the HashKey,
RangeKey and the individual
Attributes in your value object
that should map to columns in
the DynamoDB table
45. v
For this demo, we’ll use Facebook as our
Public Identity Provider
46. v
Mobile App
DynamoDB
Implement Public & Private views
OAUTH/OpenID
Access Token
Cognito Identity
Broker
Cognito ID,
Temp
Credentials
Query for results
filtered by
OwnerId
47. v
• Great how-to
https://developers.facebook.com/docs/
android/getting-started
Using Facebook in your App
56. v
Secure access to DynamoDB
Simply instantiate the
AmazonDynamoDBClient and
specify your Cognito provider as
the credential provider in the
constructor
57. v
Querying the DynamoDB table from code
Querying the DynamoDB table is
simple!
The DynamoDB Mapper will map the
columns in the table to the fields in
your value object and return a typed
list of records ready to iterate
58. v
Demo App
Guest access
• Connects to Cognito as anonymous user
• Gets AWS token and uses that to instantiate
a DynamoDB client
• Queries DynamoDB using the key ‘public’
Authenticated access
• Gets token from Facebook
• Passes token to Cognito
• Impersonates authenticated user
• Queries DynamoDB using the key that matches
the Cognito Identity of this user
59. v
Raw DynamoDB records example
Inventory is partitioned
based on the OwnerId
‘public’ is accessible
to the ‘guest’
Cognito Identity
Anything else must
match the identity of
the user accessing
the application
60. v
FGAC on DynamoDB using IAM
Fine-Grained Access Control (FGAC)
• Restrict which Actions can be called by the user
• Restrict which DynamoDB Tables can be accessed by the user
• Restrict which rows in the table are accessible by the user
• Control which fields are accessible in the query results
61. v
FGAC on DynamoDB using IAM
Control the actions the user
can invoke
The “Unauthenticated”
Role Policy
62. v
FGAC on DynamoDB using IAM
Control the DynamoDB Table
the user can access
The “Unauthenticated”
Role Policy
63. v
FGAC on DynamoDB using IAM
Restrict the Rows in the DynamoDB
table the user can access
The “Unauthenticated”
Role Policy
64. v
FGAC on DynamoDB using IAM
Use the Cognito Id for this user to restrict
the rows that will be accessible to the user
The “Authenticated”
Role Policy
65. v
Our Media App’s wish-list of features
q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
q Convert uploaded video files to various mobile/web formats
67. v
Each platform works differently, and push gets even more complex as you
scale to support millions of devices.
Cloud App
Platform Services Mobile Apps
SNS application targets
68. v
Amazon SNS
Cross-platform
Mobile Push
Apple APNS
Google GCM
Amazon ADM
Windows WNS and MPNS
Baidu CP
With Amazon SNS, developers can send push notifications on multiple
platforms and reach mobile users around the world
Android Phones and Tablets
Apple iPhones and iPads
Kindle Fire Devices
Android Phones and Tablets in China
Windows Desktop and Phones
SNS application targets
Your application
back-end
69. v
• Goals:
• Application automatically registers with Google Cloud Messaging (GCM)
• The device registration Id is then sent to SNS to register as a device endpoint
• The application then subscribes that device endpoint to a well-known SNS topic
This topic is shared by all other devices using the application
• The application then confirms SNS Push Notifications are working by sending
a message to itself via SNS. The user sees a pop-up message.
• Later, whenever a message is sent to the shared SNS Topic,
all devices subscribed receive a pop-up notification
Next App: SNS Push Notification App
70. v
Mobile App
Next App: SNS Push Notification App
SNS Topic
SNS Application
ENDPOINT APP
TOPIC
Cognito
Create Platform
Endpoint
Subscribe to topic
Publish test
message to our
Endpoint
Push notification
from GCM
SNS
74. v
Note the Topic’s ARN
We will need this in our code to
subscribe the device to the topic
so we can receive notifications
On the SNS Dashboard, create a new Topic
75. v
Create a Google API Project
and obtain the Google Project ID
83. v
Instantiate Cognito Credentials Provider
Give Cognito your details
• Account Id
• Identity Pool ARN
• UnAuthenticated access Role ARN
• Authenticated access Role ARN
• The Region you are running Cognito in
84. v
Again, this ‘Cognito’ class is just my convenience wrapper
implemented as a Singleton
Instantiate SNS using Credentials from Cognito
85. v
Get the device registration ID from GCM
We’re requesting the device
identifier/token for this unique
device, against the Google
Project Id we created earlier
86. v
And register this device with the SNS App
The ‘deviceIdentifier’
is the device
token returned
from GCM for
this unique
device
87. v
Finally, subscribe the endpoint to the Topic
The endpoint is the ARN you got
back from the previous call to
getEndpointArn()
88. v
Demo App
At startup, we register this device
with the SNS Application
Then we subscribe this device
Endpoint to the global SNS Topic
We then send a test message from
the device to ourselves to confirm
the round trip is working
If we subsequently publish to the
global SNS Topic, all devices
subscribed will be notified
89. v
Our Media App’s wish-list of features
q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
90. v
How did we initiate the
sending of the Push Notification to the
global SNS Topic?
But wait!
91. v
Demo web page to send Push Notifications
Plain old Javascript and HTML!
The website is a standard HTML site with Javascript. It is
being served from S3, so no back-end servers
The magic comes from the AWS Javascript SDK
92. v
Demo web page to send Push Notifications
Topic ARN
This is the topic we subscribed
our application to when
it started up
Cognito Role
This is the IAM role we want to use –
we’re using the unauthenticated ‘guest’
role in this demo
Cognito Identity Pool ID
This is the specific Cognito pool
we want to use for authentication
95. v
Our Media App’s wish-list of features
q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
97. v
• Goals:
• User is authenticated with Facebook
• Each time they modify gadgets in the app, the state of the
gadgets is synchronized with all other devices
using the application (for that user account)
• Verify these shared data changes in a companion web page, where the
user is also authenticated with Facebook, and is the same user principal
Next App: Shared application data
99. v
Add a Web application to FB
S3 bucket name
We’re using S3 to serve the web site in this example, but
you can use CloudFront, or EC2, or use a CNAME
100. v
Javascript code to read Cognito Sync Data
Instantiate the CognitoSync object
It will inherit the Cognito credentials from those we obtained
earlier from our call to CognitoIdentityCredentials()
101. v
Javascript code to read Cognito Sync Data
Specify our parameters
We need to specify the DatasetName that we want to connect to,
and the Cognito Identity information as shown
102. v
Javascript code to read Cognito Sync Data
Call CognitoSync::listRecords()
…and provide our params and a
callback
103. v
Javascript code to read Cognito Sync Data
OnSuccess()
…iterate the results and do something
interesting with the data records
104. v
Demo App Web Page
The web page has access
to the shared data when
authenticated as the
Facebook User
Mobile application
…and the mobile
application has access to
the same shared data if
the user is logged on to
Facebook as the same
user
105. v
Our Media App’s wish-list of features
q Upload & Download media files to/from S3 buckets
q Grant anonymous but secure access to AWS resources in our account
q Grant authenticated access for users that log in via Public Identity Providers
q Send push notifications to mobile devices
q Store the media library inventory in the cloud so it can be queried by many users
q Provide partitioned access to the media library based on Public and Private views
q Synchronise user data across devices
q Make all this available across devices (iOS, Android, Kindle) and web
q Convert uploaded video files to various mobile/web formats
106. v
We covered a lot of ground
in this deep-dive session!
107. v
Amazon Cognito
Amazon SNS Mobile Push
DynamoDB Connector
S3 Connector
SQS Connector
User identity &
data synchronization
service
Store any NoSQL data and
also map mobile OS specific
objects to DynamoDB tables
Powerful Cross-platform
Push notification service
Easily upload, download to S3 and
also pause, resume, and cancel
these operations
Access distributed buffering
and queuing service
AWS Mobile Services
108. v
Amazon S3
Amazon Elastic Transcode Service
Amazon CloudFront
Amazon Elastic Beanstalk
Amazon Identity and Access Management
Online file storage
web service
Content Delivery Network
(CDN)
Highly scalable,
media transcoding
in the cloud
Platform as a Service (PaaS)
Securely control access to
AWS services and resources
for your users
AWS Services & Features
109. v
Fully integrated AWS
mobile SDK
Cross-platform,
optimized for mobile
Automatically handles
intermittent and latent
network
AWS Mobile SDK
Reduced memory footprint
Common authentication
method across all services
110. Online
Labs
|
Training
Gain
confidence
and
hands-‐on
experience
with
AWS.
Watch
free
Instruc;onal
Videos
and
explore
Self-‐
Paced
Labs
Instructor
Led
Classes
Learn
how
to
design,
deploy
and
operate
highly
available,
cost-‐effec;ve
and
secure
applica;ons
on
AWS
in
courses
led
by
qualified
AWS
instructors
Validate
your
technical
exper;se
with
AWS
and
use
prac;ce
exams
to
help
you
prepare
for
AWS
Cer;fica;on
AWS
Cer9fica9on
h<p://aws.amazon.com/training