Our Python SDK got smarter. We developed a Typscript SDK too. We are updating our SDK code blocks. Python SDKhere.Typscript SDKhere.
Description

Deployment in AWS with Amazon Cognito

This document assumes the use of the following:

  • Cloud provider: Amazon Web Services (AWS)
  • Kubernetes service: Elastic Kubernetes Service (EKS)
  • Ingress Controller: AWS Load Balancer Controller
  • Identity Provider (IdP): Amazon Cognito
  • (Optional) ExternalDNS (to synchronize ingresses with the DNS service)

Configuring Patronus AI to use Amazon Cognito as an Identity Provider

Configuring Amazon Cognito

  • Go to Amazon Cognito, select User pools then click on the Create user pool button.

  • In Define your application, select Traditional web application for the Application type option and add a name in Name your application.

  • In Configure options, select Email for the Options for sign-in identifiers option and select email in the Required attributes for sign-up option.

  • In Add a return URL add the following to the Return URL option:

    • https://<PATRONUS_APP_HOST>/oauth2/auth

    For example:

  • Click on Create user directory button.

  • After successfully created the user pool, go back to User pools then select the new user pool you just created. Go to App clients in the Applications section then select your app client. Go to Login pages then click on the Edit button in the Managed login pages configuration section. Add the following URL to Allowed sign-out URLs:

    • https://<PATRONUS_APP_HOST>

    For example:

  • In the OpenID Connect scopes section, check that Email, OpenID and Profile scopes are selected.

  • Click on Save changes.

Configuring the Helm chart

Once you have created the Cognito user pool and app client, configure the values.yaml file with these values and apply the changes:

nginx:
  enabled: true
  ingress:
    enabled: true
    hostname: <PATRONUS_APP_HOST>
    ingressClassName: alb
  idpLogoutProxypass: http://vouch/oauth2/logout?url=https://<COGNITO_DOMAIN>/logout?client_id=<COGNITO_CLIENT_ID>%26logout_uri=https://<PATRONUS_APP_DOMAIN>
 
vouch:
  enabled: true
  config:
    vouch:
      domains:
        - <PATRONUS_DOMAIN>
      post_logout_redirect_uris:
        - https://<COGNITO_DOMAIN>/logout?client_id=<COGNITO_CLIENT_ID>&logout_uri=https://<PATRONUS_APP_DOMAIN>
    oauth:
      provider: oidc
      # Amazon Cognito -> User pools -> User pool name -> Applications -> App clients -> App client name -> App client information -> Client ID
      client_id: <COGNITO_CLIENT_ID>
      # Amazon Cognito -> User pools -> User pool name -> Applications -> App clients -> App client name -> App client information -> Client secret
      client_secret: <COGNITO_CLIENT_SECRET>
      # Amazon Cognito -> User pools -> User pool name -> Branding -> Domain -> Cognito domain -> Domain
      auth_url: https://<COGNITO_DOMAIN>/oauth2/authorize
      token_url: https://<COGNITO_DOMAIN>/oauth2/token
      user_info_url: https://<COGNITO_DOMAIN>/oauth2/userInfo
      callback_urls:
        - https://<PATRONUS_APP_HOST>/oauth2/auth
 
patronus-backend:
  authConfig:
    # Amazon Cognito -> User pools -> User pool name -> User pool information -> Token signing key URL (domain between https:// and /.well-known/jwks.json)
    idp_domain: cognito-idp.<AWS_REGION>.amazonaws.com/<COGNITO_POOL_ID>
    # Amazon Cognito -> User pools -> User pool name -> Applications -> App clients -> App client name -> App client information -> Client ID
    audience: <COGNITO_CLIENT_ID>
 
patronus-app:
  ingress:
    enabled: false
  appConfig:
    AUTH_STRATEGY: "idp-proxy"
    APP_BASE_URL: https://<PATRONUS_APP_HOST>
    BACKEND_API_PUBLIC_URL: https://<PATRONUS_BACKEND_API_HOST>

Configuring Admin Portal

Go to Admin Portal. In Accounts, create a new one with the following:

  • Account Name: <ACCOUNT_NAME>
  • Owner Email: <YOUR_EMAIL>
  • Sign In Strategy: Domain
  • Sign In Domain: <YOUR_DOMAIN>
  • Limits Enabled: disabled

Then go to System Authentication and add a mapping.

  • Account: <YOUR_NEWLY_CREATED_ACCOUNT>
  • Claim JSON-path: $.aud[*]
  • Match Claim Value: <CLIENT_ID>
  • Grant Role: Owner/Member

Change the Claim JSON-path and Match Claim Value to suit your needs.

External documentation:

← Back to Self Hosting Guide

On this page