Skip to content
/ aws-google-signin Public

Example code to get google login button working with AWS IAM policies and an AWS API Gateway authorised endpoint working

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

devfubar/aws-google-signin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
index.html
index.html
 
 

Repository files navigation

aws-google-signin

Whats the point of this?

The purpose of this repo is to have a minimal example on how to get users caling authorised AWS API Gateway endpoints by signing into their google account.

Set up

Google

First we need to create/get a Google client ID. Please follow the google docs on how to do this; click here

AWS IAM

We need to create an AWS IAM role so that we can generate a temporary AWS secret key, id and token.

  1. Log into AWS console
  2. Go to the Roles section of the console and then choose Create New Role.
  3. Type a name for the new role that helps you keep track of its use, such as facebookIdentity, and then choose Next Step.
  4. In Select Role Type, choose Role for Identity Provider Access.
  5. For Grant access to web identity providers, choose Select.
  6. From the Identity Provider list, choose 'google'.
  7. Enter the google client ID into audience (the one we created in the above section titled 'google')
  8. Configure permissions for the resources you want to expose, allowing access to specific operations on specific resources. For more information about IAM permissions, see Overview of AWS IAM Permissions in the IAM User Guide. Review and, if needed, customize the role's trust relationship, and then choose Next Step.
  9. Attach additional policies you need and then choose Next Step. For more information about IAM policies, see Overview of IAM Policies in the IAM User Guide.
  10. Review the new role and then choose Create Role.

Below is a sample of what the trust IAM rule should look like

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "accounts.google.com:aud": "<your google client id here>.apps.googleusercontent.com"
        }
      }
    }
  ]
}

Below is an example IAM policy teh role needs to execute 'GET' requests on API Gateway

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:GET",
                "execute-api:Invoke"
            ],
            "Resource": "*"
        }
    ]
}

Update the html file

  1. Look for the meta tag with the name "google-signin-client_id". Change the content value from an empty string to your google client id
  2. In the javascript section change the variable "roleArn" to the Arn of the role you created in the Setup AWS section above.
  3. Set the correct AWS Region for teh variable "AWS.config.region"
  4. Change "testFunction" to a real value to call one of your endpoints that require authentication

About

Example code to get google login button working with AWS IAM policies and an AWS API Gateway authorised endpoint working

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages