Using Authorizer with DynamoDB and EKS

Hello people, on 3rd November 2022 I had amazing opportunity to speak at AWS community (Vadodara) event happening in my city. I presented on using Authorizer with DynamoDB and EKS.

Authorizer is database independent open source auth solution. It supports 12+ databases including all the major SQL, NoSQL and Graph databases.

So, as a part of demo I created a Task Manager (TODO) application, which will allow authenticated user to

  • Create Task
  • Watch their own tasks
  • Mark Task as done
  • Delete Task

The tech stack we will be using is:

Here is a small architecture diagram demonstrating how the overall application will look like

architecture-image

Code Repository

Github Repository: This repository contains code for TODO API, Frontend Application, EKS Cluster Creation, Ingress / Domain Setup

Let's Get Started

Prerequisite

  • aws account
  • iam user with permission for DynamoDB, EKS, EC2, IAM Policy Creation, Route53, EBS Controller
  • kubectl
  • awscli
  • eksctl
  • helm
  • Configure AWS profile on your machine with user credentials
  • Export your AWS credentials
    aws configure --profile PROFILE_NAME
    export AWS_PROFILE=PROFILE_NAME
    export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID
    export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY
    

Step 1: Clone the Repository

git clone https://github.com/lakhansamani/authorizer-aws-demo.git

cd authorizer-aws-demo

Step 2: Create EKS Cluster

Note: You can update machine configuration in eks.yaml file.

eksctl create cluster -f eks.yaml

Step 3: Install Nginx Ingress

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

helm repo update

helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
 --namespace ingress-nginx \
 --create-namespace \
 --timeout 600s \
 --debug \
 --set controller.publishService.enabled=true

Step 4: Install Cert Manager

Cert manager is used to generate TLS certificate

helm repo add jetstack https://charts.jetstack.io

helm repo update

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml

helm install \
 cert-manager jetstack/cert-manager \
 --namespace cert-manager \
 --create-namespace \
 --version v1.8.2

Step 5: Install Authorizer

Note: Please change authorizer.authorizer_url as per your domain and URL.

helm repo add authorizer https://helm-charts.authorizer.dev

helm repo update

helm install \
 --set authorizer.database_type=dynamodb \
 --set authorizer.aws_access_key_id=${AWS_ACCESS_KEY_ID} \
 --set authorizer.aws_secret_access_key=${AWS_SECRET_ACCESS_KEY} \
 --set authorizer.aws_region=us-east-1 \
 --set authorizer.authorizer_url=https://auth.aws-demo.authorizer.dev \
 --set redis.install=true \
 --set redis.storage=5Gi \
 --set redis.storageClassName=gp2 \
 --set securityContext.readOnlyRootFilesystem=false \
authorizer authorizer/authorizer

Step 6: Create Route53 Hosted Zone

  • Create Hosted Zone
  • Create Subdomain Record with classic load balancer and select loadbalancer created by nginx

Example: auth.aws-demo.authorizer.dev in below screenshot

route53

Step 7: Create Cluster Issuer with dns01 challenge

Note: Change email & hostzoneID as per step5 in cluster_issuer.yaml

Cert manager will add txt record and will verify the domain details using this issuer.

kubectl apply -f cluster_issuer.yaml

Step 8: Create Ingress for authorizer

Note: Change authorizer domain as per your auth domain in authorizer_ingress.yaml

kubectl apply -f authorizer_ingress.yaml

Open your authorizer dashboard, configure admin password and get client ID.

Step 9: Deploy API resources

Note: Change authorizer_client_id to based64 encoded value authorizer client_id value obtained in step 7 in api.yaml L:8. Also change domain name in ingress section.

kubectl apply -f api.yaml

Step 10: Deploy frontend

You can deploy frontend to provider of your choice OR on the same stack. For demo purpose I have deployed it on Netlify and connected subdomain there.

Thats all you need. Hope it makes your life easier to deploy authorizer + any other service on AWS

For more information check