1 00:00:06,919 --> 00:00:12,480 Welcome back to BackSpace Academy. In this lab we're going to be developing 2 00:00:12,480 --> 00:00:17,820 a serverless JavaScript application and we're going to host that on Amazon s3 3 00:00:17,820 --> 00:00:23,760 and in front it with CloudFront. In the application we're going to be using the 4 00:00:23,760 --> 00:00:29,189 Login with Amazon software development kit and that will allow our users of our 5 00:00:29,189 --> 00:00:35,670 application to use their Amazon login details to assume a role which will give 6 00:00:35,670 --> 00:00:40,590 them temporary AWS credentials then we're going to use those temporary 7 00:00:40,590 --> 00:00:46,265 credentials to read and write to a dynamo DB table 8 00:00:46,265 --> 00:00:49,000 okay starting off in the Amazon s3 console 9 00:00:49,000 --> 00:00:52,120 we want to create a bucket to host our website so 10 00:00:52,120 --> 00:01:02,000 create bucket we'll give that a name and next 11 00:01:02,300 --> 00:01:09,119 and next again so we want to make this public so grant public read access to 12 00:01:09,119 --> 00:01:14,079 this bucket and create bucket okay so in the lab notes I've got some links to 13 00:01:14,079 --> 00:01:24,750 two files one called index.html being our web page and app.js our application 14 00:01:24,750 --> 00:01:29,400 code so what we need to do is to download those and then lo upload these 15 00:01:29,400 --> 00:01:34,710 to our bucket so we'll just click on the bucket now and we'll upload those two 16 00:01:34,710 --> 00:01:47,689 files and next and we need to grant public permissions for this and upload 17 00:01:47,689 --> 00:01:52,850 so once it's finished uploading we need to enable static website hosting so 18 00:01:52,850 --> 00:01:56,929 going to properties and static head website hosting will put that in there 19 00:01:56,929 --> 00:02:01,929 put our index.html and click Save 20 00:02:03,369 --> 00:02:08,840 okay so now that we've done that we should be able to go to this website now 21 00:02:08,840 --> 00:02:11,269 and just have a look at it make sure it's all working so that's working fine 22 00:02:11,269 --> 00:02:15,470 so what our web page simply is, it's going to have three buttons here one 23 00:02:15,470 --> 00:02:20,040 which is a login with Amazon button logout button and then a write to DynamoDB. 24 00:02:20,040 --> 00:02:24,290 so once we've finished logging in we can write data to or we're going to 25 00:02:24,290 --> 00:02:29,120 get the user profile data from the amazon.com service and then we're going 26 00:02:29,120 --> 00:02:34,879 to write that to a DynamoDB database to have this running properly we need to 27 00:02:34,879 --> 00:02:41,329 have it served out of HTTP domain so obviously we can't do that using static 28 00:02:41,329 --> 00:02:45,109 website hosting but we can t be front that with CloudFront so we're going to 29 00:02:45,109 --> 00:02:52,459 do a CloudFront distribution so go into CloudFront and we're just going to use 30 00:02:52,459 --> 00:02:57,099 the standard CloudFront certificate as well so we go create distribution and 31 00:02:57,099 --> 00:03:04,940 get started the origin will be our bucket that we just created and we want 32 00:03:04,940 --> 00:03:10,040 to redirect to everything to http the reason we need to do this is that the 33 00:03:10,040 --> 00:03:17,889 login with Amazon service will only work with a domain that is under HTTPS or SSL 34 00:03:21,069 --> 00:03:30,290 and we're just going to use a standard SSL certificate and the default root 35 00:03:30,290 --> 00:03:38,500 object will be index.html and we'll create that distribution 36 00:03:40,230 --> 00:03:45,190 okay so while that CloudFront distribution is happening I'm just going 37 00:03:45,190 --> 00:03:50,950 to jump into the Amazon.com Seller Central. Now there are instructions in the 38 00:03:50,950 --> 00:03:56,260 lab notes on how to register with amazon.com as a developer so you need to 39 00:03:56,260 --> 00:04:00,430 go through that registration process once you've done that and you've logged 40 00:04:00,430 --> 00:04:05,080 in as a developer on amazon.com you'll be presented with this screen here so 41 00:04:05,080 --> 00:04:09,070 what we need to do is we need to register our application with Amazon and 42 00:04:09,070 --> 00:04:14,230 once we've done that and we've given all the details of the domain name and all 43 00:04:14,230 --> 00:04:19,239 of that sort of thing what we will get is an application ID and we'll also get 44 00:04:19,239 --> 00:04:24,220 a web client ID and we need both of those IDs one of them goes to 45 00:04:24,220 --> 00:04:28,090 Amazon Web Services which is the application ID and the other one 46 00:04:28,090 --> 00:04:32,470 goes on our web page which will be the client ID so to start with we go to 47 00:04:32,470 --> 00:04:41,620 register new application will give our application a name and we'll give it a 48 00:04:41,620 --> 00:04:50,860 description and we need to put in a privacy notice URL as well so I've just 49 00:04:50,860 --> 00:04:55,300 got one here that I've just copied off the internet it's just a sample one and 50 00:04:55,300 --> 00:05:00,490 I'm just going to put that in there which I've uploaded already to an s3 51 00:05:00,490 --> 00:05:05,560 bucket and I'm just going to put a logo as well I can put in 52 00:05:05,560 --> 00:05:13,410 a logo why not and we'll save that 53 00:05:16,139 --> 00:05:21,610 okay so that's done that part of it so what we need to do now is put in the web 54 00:05:21,610 --> 00:05:25,300 settings and that's going to give them or give Amazon the settings of our 55 00:05:25,300 --> 00:05:28,240 application that we'll be running so it's going to be a web application for 56 00:05:28,240 --> 00:05:31,780 starters it's not going to be an Android app or an iOS app so we click on web 57 00:05:31,780 --> 00:05:39,400 settings and what we need to do is edit that and we need to put our origin of 58 00:05:39,400 --> 00:05:43,090 our domain so that's going to be our CloudFront domain so we go back into 59 00:05:43,090 --> 00:05:58,600 the CloudFront manager we'll copy that domain okay so it needs to have the HTTP:// 60 00:05:58,600 --> 00:06:03,580 in there as well and the last bit of it 61 00:06:03,580 --> 00:06:10,060 will be CloudFront.net so that's what you need to do for that and save ok 62 00:06:10,060 --> 00:06:14,290 so you've now got your client ID and you've got your application ID that you 63 00:06:14,290 --> 00:06:19,570 need to go further so we'll just jump back now into the CloudFront and see 64 00:06:19,570 --> 00:06:22,080 how that's going 65 00:06:24,150 --> 00:06:29,650 ok so CloudFront has finished creating that distribution so we'll just jump in 66 00:06:29,650 --> 00:06:33,180 here and have a look and see if it's working so that's fine so we've got that 67 00:06:33,180 --> 00:06:37,120 up and running on CloudFront not a problem so what we'll do now is move on 68 00:06:37,120 --> 00:06:41,460 to the next step which is creating our dynamodb tables so go to services and 69 00:06:41,460 --> 00:06:52,900 DynamoDB and we want to create a table and we'll call it login with Amazon test 70 00:06:52,900 --> 00:06:59,110 now use the same table name as I've got here because the code is actually around 71 00:06:59,110 --> 00:07:02,740 this table name otherwise you'll have to go into the code and change it so our 72 00:07:02,740 --> 00:07:07,390 primary key again lead this the same as what I've got in the lab notes which is 73 00:07:07,390 --> 00:07:13,870 just customer with a capital C so just remember it is case sensitive so make 74 00:07:13,870 --> 00:07:18,310 sure the customer is a capital C then we're not going to use a default 75 00:07:18,310 --> 00:07:22,330 settings because I want to save a bit of money so what I'm going to do is turn 76 00:07:22,330 --> 00:07:27,430 off auto scaling because we really only need one read capacity unit and we'll 77 00:07:27,430 --> 00:07:31,100 just change that to the minimum and save a bit of cost so 78 00:07:31,100 --> 00:07:35,720 if we forget to delete this it's only going to cost us 60 cents a month so not 79 00:07:35,720 --> 00:07:43,040 a problem and we create that that table and that's 80 00:07:43,040 --> 00:07:49,490 now being created after a certain amount of time it will be ready to go okay 81 00:07:49,490 --> 00:07:54,020 jumping into tables and we can see there that is now active so I'm just going to 82 00:07:54,020 --> 00:07:58,430 click on that again what we need to do now is that we need to create an I am 83 00:07:58,430 --> 00:08:05,570 role that will give our end users or our end users can assume that will give them 84 00:08:05,570 --> 00:08:09,860 federated temporary access to this table so they can read and write to that table 85 00:08:09,860 --> 00:08:15,140 so we're just going to go to the tab that has access control we're going to 86 00:08:15,140 --> 00:08:19,310 select login with Amazon which is what we're using we'll select all of the 87 00:08:19,310 --> 00:08:25,520 action set and we'll create this policy so there it has automatically created 88 00:08:25,520 --> 00:08:29,360 that policy for us we just saved us a lot of time means we don't get many 89 00:08:29,360 --> 00:08:34,640 mistakes in here so all we need to do now is to copy that policy over to I am 90 00:08:34,640 --> 00:08:40,250 and then we can create an I am role using that policy so the first thing we 91 00:08:40,250 --> 00:08:44,090 need to do is just copy all of that so ctrl a and control C or command a 92 00:08:44,090 --> 00:08:56,200 command C if you're on Mac and we'll go to the IAM console now and we go to roles 93 00:08:56,200 --> 00:09:02,510 actually first of all we'll go to policies and we'll create a policy and 94 00:09:02,510 --> 00:09:07,340 we'll paste in delete what's in there now and we'll paste you now our JSON 95 00:09:07,340 --> 00:09:14,390 code in there so let's have a look at it so what we've got is we're allowing all 96 00:09:14,390 --> 00:09:18,740 of the actions here on DynamoDB and it's going to be on our login with 97 00:09:18,740 --> 00:09:24,860 Amazon test database or so our test table and it's only going to be it's got 98 00:09:24,860 --> 00:09:30,320 it's a condition against it so it's only going to be allowed where the leading 99 00:09:30,320 --> 00:09:39,560 keys have user ID so what that means is that our primary key of our database is 100 00:09:39,560 --> 00:09:48,000 customer and so we're the customer has the the value of our 101 00:09:48,000 --> 00:09:52,620 Amazon account or the users Amazon account they can write to that but they 102 00:09:52,620 --> 00:09:58,440 can't write anything else, so it's limited to entries on their own account 103 00:09:58,440 --> 00:10:09,209 so just click on review policy we'll give that a name and we'll give it a 104 00:10:09,209 --> 00:10:17,700 description as well okay so we can see it's got limited read and write access 105 00:10:17,700 --> 00:10:24,330 and on the resource login with the Amazon test that table and it's only 106 00:10:24,330 --> 00:10:28,649 going to be where the leading keys or the partition which is customer where 107 00:10:28,649 --> 00:10:34,950 the customer equals the amazon.com user ID that has been logged in so we just 108 00:10:34,950 --> 00:10:42,029 create that policy now okay so that's been created now so now we can create a 109 00:10:42,029 --> 00:10:51,839 role using that policy so create role and we wanted to whereby identity our 110 00:10:51,839 --> 00:10:57,150 identity provider will be log in with Amazon and our application ID so we need 111 00:10:57,150 --> 00:11:02,850 to get this application ID from amazon.com from our developer account so 112 00:11:02,850 --> 00:11:05,730 we go back into our developer account and we can see up the top here we've got 113 00:11:05,730 --> 00:11:11,339 our application ID so we've got two IDs we've got an application ID and we've 114 00:11:11,339 --> 00:11:16,680 got a client ID so for this part of the process we use the application ID so 115 00:11:16,680 --> 00:11:21,230 just going to select all of that and copy that over 116 00:11:27,170 --> 00:11:33,029 and goto permissions now this is where we search for our policy so I'm just 117 00:11:33,029 --> 00:11:37,740 going to do login it should find it so there's our policy that we just created 118 00:11:37,740 --> 00:11:45,660 and we review we'll give this roller name we'll just call it login with 119 00:11:45,660 --> 00:11:53,670 Amazon DynamoDB again that will be fine and a description in there and that 120 00:11:53,670 --> 00:11:56,870 looks fine so we've got our policy there which is our login with Amazon DynamoDB 121 00:11:56,870 --> 00:12:04,940 policy we've got our identity provider is amazon.com and we just click on create role 122 00:12:04,940 --> 00:12:14,279 okay so that role has now been created so if we click up here to 123 00:12:14,279 --> 00:12:18,930 that role to get to that role we can see here we've got a role ARN so we're 124 00:12:18,930 --> 00:12:23,070 going to need that later on in our code and what we'll do is we'll jump into our 125 00:12:23,070 --> 00:12:29,459 code and we'll put that in there now so just copying that now and I'm just going 126 00:12:29,459 --> 00:12:34,709 to jump into my fj's code that we uploaded and we can see here we have a 127 00:12:34,709 --> 00:12:41,699 variable roleARN so we need to put our a RN for our role into them so that's 128 00:12:41,699 --> 00:12:47,279 done and what I'm going to do now is I'm going to save that as a different name 129 00:12:47,279 --> 00:12:57,870 and I'm going to call it V or app underscore a version 2 now the reason 130 00:12:57,870 --> 00:13:02,640 I'm doing that is because we've got a CloudFront distribution and so if we're 131 00:13:02,640 --> 00:13:07,949 going to just keep using app.js and we upload app.js we're going to have to 132 00:13:07,949 --> 00:13:12,750 invalidate that CloudFront distribution which is going to take a long long time 133 00:13:12,750 --> 00:13:15,209 you know I have naturally measured it but you're probably looking at half an 134 00:13:15,209 --> 00:13:19,769 hour or so to invalidate that CloudFront distribution so instead of doing that we 135 00:13:19,769 --> 00:13:24,029 just need to upload a new file and this is what that is and so if it's not in 136 00:13:24,029 --> 00:13:28,370 the distribution it will just get proxied straight back to Amazon s3 and 137 00:13:28,370 --> 00:13:35,200 it'll go from there so we just say that as version 2 or just copy the name first 138 00:13:35,200 --> 00:13:45,250 and save that and I need to go into index.html and scroll down to here 139 00:13:45,250 --> 00:13:51,280 because this is referencing app.js so we need to put the new file name which will 140 00:13:51,280 --> 00:13:57,430 be app version two JS and we also if you see here we need to put in our 141 00:13:57,430 --> 00:14:06,880 client ID so we go back into the amazon.com seller central if we scroll 142 00:14:06,880 --> 00:14:10,870 down here in our web settings we're going to have a client ID so we select 143 00:14:10,870 --> 00:14:16,150 that so don't get this confused with the application ID that we use before this 144 00:14:16,150 --> 00:14:31,630 is a client ID and we'll put that in here okay so that should be fine to run 145 00:14:31,630 --> 00:14:35,440 so what I'm going to do now is we're going to file save that as another 146 00:14:35,440 --> 00:14:37,980 version as well 147 00:14:45,300 --> 00:14:55,089 and save so all we need to do now is upload that and run a replication so we 148 00:14:55,089 --> 00:15:09,399 go into the s3 management console and upload that and again make sure that 149 00:15:09,399 --> 00:15:16,319 we've got public permissions on this and upload that 150 00:15:19,379 --> 00:15:24,970 now before we run this application let's have a quick look and see how it all 151 00:15:24,970 --> 00:15:31,449 works so in our index.html or version to that we've got here we can see it's just 152 00:15:31,449 --> 00:15:36,459 a blank pretty well a blank canvas here which has just got some buttons on it so 153 00:15:36,459 --> 00:15:43,019 we start off by loading the Amazon or the login with Amazon JavaScript SDK and 154 00:15:43,019 --> 00:15:50,380 when it has been loaded we then pass our client ID to the software development 155 00:15:50,380 --> 00:15:56,290 kit now that is going to be our web client ID if this was an Android app it 156 00:15:56,290 --> 00:16:02,410 would be our android client ID or it would be our if it was an iOS app it 157 00:16:02,410 --> 00:16:06,759 would be our iOS client ID there so because it's a web application we're 158 00:16:06,759 --> 00:16:13,420 sending our web client ID to that so once it has been loaded we've also got 159 00:16:13,420 --> 00:16:19,810 here some buttons for logging and for logout and writing to the database we're 160 00:16:19,810 --> 00:16:25,420 just loading jQuery and the AWS software development kit and 161 00:16:25,420 --> 00:16:32,699 then finally we're loading in our app_v2.js code 162 00:16:32,699 --> 00:16:38,410 so let's have a look so not much going on there other than loading in our login 163 00:16:38,410 --> 00:16:44,379 for Amazon JavaScript SDK so if we go to our app there's a lot more going on 164 00:16:44,379 --> 00:16:51,009 there so first of all we've got to define our region as US east we've also 165 00:16:51,009 --> 00:16:58,360 got a variable there for our role ARN which we'll be passing to the AWS 166 00:16:58,360 --> 00:17:02,670 security token service and 167 00:17:02,670 --> 00:17:07,150 we've got our event listeners for those three buttons being our login with 168 00:17:07,150 --> 00:17:13,750 Amazon which will go to a login with Amazon function which is down here if we 169 00:17:13,750 --> 00:17:19,839 want to log out it's going to call the login function within the Amazon SDK and 170 00:17:19,839 --> 00:17:25,000 finally we can write to dynamodb using a write DynamoDB function which we're 171 00:17:25,000 --> 00:17:30,220 creating as well so when we log in and we click on that login function the 172 00:17:30,220 --> 00:17:33,850 first thing or login button the first thing we want to do is define the scope 173 00:17:33,850 --> 00:17:39,910 of our call to amazon.com and that will be to retrieve the profile and that will 174 00:17:39,910 --> 00:17:48,130 be the email address and the name of our end user so what we need to do is that 175 00:17:48,130 --> 00:17:53,890 we need to run the authorize process and if that is successful it will open up a 176 00:17:53,890 --> 00:18:00,460 pop-up screen and/or pop-up window and we put in our amazon.com username and 177 00:18:00,460 --> 00:18:07,300 password to that if it's accepted then we will get a a good response back in 178 00:18:07,300 --> 00:18:12,580 okay responses not an error and in that response we will get an access token 179 00:18:12,580 --> 00:18:18,880 from amazon.com so we can use that access token that we get from amazon.com 180 00:18:18,880 --> 00:18:24,309 for two things first of all we can go back to the login with Amazon service 181 00:18:24,309 --> 00:18:28,660 and we can retrieve the user profile information for the person has just 182 00:18:28,660 --> 00:18:33,340 logged in and so that again we'll get a sell name and email address of that 183 00:18:33,340 --> 00:18:37,480 person so that's what we're doing here is it we're calling retrieve profile and 184 00:18:37,480 --> 00:18:42,550 we're passing that access token there and in our response we're going to get 185 00:18:42,550 --> 00:18:47,770 the user profile of that person so if that is successful then we go on to 186 00:18:47,770 --> 00:18:55,330 create our AWS credentials so that will again it will be similar to what we do 187 00:18:55,330 --> 00:18:59,770 with Cognito instead of using the Cognito service we're going to be using 188 00:18:59,770 --> 00:19:04,900 web identity credentials and what we do is we pass the provider 189 00:19:04,900 --> 00:19:08,200 which will be amazon.com 190 00:19:08,200 --> 00:19:12,990 the ARN for our IAM role and finally we're going to pass 191 00:19:12,990 --> 00:19:18,108 that access token that we got from logging with Amazon 192 00:19:18,108 --> 00:19:25,110 so once we have created that object we can refresh our AWS credentials and it will reload 193 00:19:25,110 --> 00:19:30,810 that in and so if it is successful then we're going to create a dynamoDB object 194 00:19:30,810 --> 00:19:36,720 that we can use for calling to the dynamoDB service so when we click on 195 00:19:36,720 --> 00:19:42,360 that write dynamoDB button what it's going to do is it's going to write to 196 00:19:42,360 --> 00:19:47,760 dynamoDB the user profile information and it's also going to put in the top 197 00:19:47,760 --> 00:19:52,200 score information for that user so how does that work so we're going to define 198 00:19:52,200 --> 00:19:57,120 some parameters for our item that we're writing and it's going to be customer 199 00:19:57,120 --> 00:20:04,350 which if you remember when we created our dynamo DB table customer was the 200 00:20:04,350 --> 00:20:09,890 primary key for that table and if you remember when we created our role the 201 00:20:09,890 --> 00:20:16,230 access had a condition that the primary key being customer must have 202 00:20:16,230 --> 00:20:23,820 been the same as the user that is logging in their amazon.com ID so what 203 00:20:23,820 --> 00:20:30,750 we're doing is that we're supplying the amazon.com ID to customer in their item 204 00:20:30,750 --> 00:20:35,550 so that will be accepted by AWS we're also putting in the email address for 205 00:20:35,550 --> 00:20:39,090 the person and the name of the person and we're putting in some top-score 206 00:20:39,090 --> 00:20:43,530 information so I'm just putting in 0 there but if this was a real thing you 207 00:20:43,530 --> 00:20:46,560 were put in the top score information for their game or whatever they're doing 208 00:20:46,560 --> 00:20:53,460 and once we've done that we can call put item and if that is OK it will just no 209 00:20:53,460 --> 00:21:00,480 stringify that out and put it out to the to the console on our screen so that's 210 00:21:00,480 --> 00:21:07,560 how it all works and what we'll do now is it will go ahead and run that 211 00:21:07,560 --> 00:21:13,530 jumping back in the CloudFront manager let's have a look at our new website so 212 00:21:13,530 --> 00:21:18,450 we go to here now this is going to be the index.html so we don't want this one 213 00:21:18,450 --> 00:21:24,710 this is the old one we want to go to the new one which will be our version two 214 00:21:24,799 --> 00:21:30,809 which is them so what's happened now is our because it's not in our CloudFront 215 00:21:30,809 --> 00:21:34,289 distribution CloudFront is just proxied that's straight back to Amazon s3 and 216 00:21:34,289 --> 00:21:38,700 we've got that up and running if we used in text HTML we would have had to 217 00:21:38,700 --> 00:21:43,049 invalidate that CloudFront distribution would have wasted a lot of time so what 218 00:21:43,049 --> 00:21:46,679 we can do now is we'll run this application it's going to press f12 to 219 00:21:46,679 --> 00:21:53,070 get the console up and click on login with Amazon and see what happens so 220 00:21:53,070 --> 00:21:56,779 there we go so I just put in my password 221 00:22:03,799 --> 00:22:11,610 so it's asking for access to my profile so so by logging into this web 222 00:22:11,610 --> 00:22:16,320 application the web application is going to receive my name and my email address 223 00:22:16,320 --> 00:22:23,580 and so I'm going to allow that okay so we can see here you are now signed in so 224 00:22:23,580 --> 00:22:27,200 everything is worked fine so we've got in here don't worry about this a 225 00:22:27,200 --> 00:22:32,309 mismatch or a match is not a function this uncaught type error that's just a 226 00:22:32,309 --> 00:22:37,679 problem with the login it's not a problem with our code so looking here 227 00:22:37,679 --> 00:22:41,960 we've got our Amazon login details and so what's happened is it's returned an 228 00:22:41,960 --> 00:22:48,720 access token so that's a login with Amazon access token and we can pass that 229 00:22:48,720 --> 00:22:57,570 access token over to the AWS STS service using Web Identity Federation and what 230 00:22:57,570 --> 00:23:02,190 it will do is it will create temporary credentials for us and so we can see 231 00:23:02,190 --> 00:23:05,940 here we've grabbed that access token and we've got our role here that is being 232 00:23:05,940 --> 00:23:12,659 used and we're calling assume web identity Federation with the access 233 00:23:12,659 --> 00:23:18,659 token and it has successfully created the AWS temporary credentials for us so 234 00:23:18,659 --> 00:23:23,460 what we can do now is I'm just going to clear the console is that we should be 235 00:23:23,460 --> 00:23:27,960 able to now grab that profile information that has that we've received 236 00:23:27,960 --> 00:23:32,560 which will have my name and my email address and we can write that to DynamoDB 237 00:23:32,560 --> 00:23:36,580 so let's have a look at how that goes 238 00:23:36,580 --> 00:23:40,990 so just click on right to DynamoDB so there we go 239 00:23:40,990 --> 00:23:46,240 if it worked it will return consume the capacity so just saying here the table 240 00:23:46,240 --> 00:23:52,480 and we've consumed one capacity unit and it's written it with the Amazon account 241 00:23:52,480 --> 00:23:57,790 there so what's happened now is that we should be able to go into DynamoDB and 242 00:23:57,790 --> 00:24:03,640 there should be an entry for this user with that Amazon account under under 243 00:24:03,640 --> 00:24:09,640 customer so let's have a look we'll jump into dynamoDB and we'll click on items 244 00:24:09,640 --> 00:24:15,430 and there we can see we've got customer which was as you remember when we 245 00:24:15,430 --> 00:24:22,540 created this table our primary key was customer and so whatever is in here is 246 00:24:22,540 --> 00:24:27,130 provided it's got the Amazon account for the person that has logged in with those 247 00:24:27,130 --> 00:24:32,350 temporary security credentials they can write to here but they cannot write to 248 00:24:32,350 --> 00:24:37,210 any other place within the database so you can see that so there's my Amazon 249 00:24:37,210 --> 00:24:42,220 account ID there's my email there's my name and we've also written in there top 250 00:24:42,220 --> 00:24:46,420 score so if you wanted to put any further details of that use you can put 251 00:24:46,420 --> 00:24:49,690 that in so if it's a game and you want to keep track of their top score of the 252 00:24:49,690 --> 00:24:52,450 game that's how you do it so that's how 253 00:24:52,450 --> 00:24:57,820 simple and easy it is to use federated identity now why would you want to do 254 00:24:57,820 --> 00:25:03,670 that and why not just use Cognito well the thing is Cognito it costs your money 255 00:25:03,670 --> 00:25:08,710 and you have to pay for that so you might be a cash-strapped startup and 256 00:25:08,710 --> 00:25:13,600 you've got the next best thing and you know that the people that are using your 257 00:25:13,600 --> 00:25:17,320 web application have an Amazon account or they have a Facebook account or a 258 00:25:17,320 --> 00:25:21,040 Google account and you can use that to authorize them and it's not going to 259 00:25:21,040 --> 00:25:26,550 cost you anything to do that and so by doing that then you can also expand 260 00:25:26,550 --> 00:25:32,260 quite rapidly so if your your app becomes extremely popular your 261 00:25:32,260 --> 00:25:35,800 application is going to be running on their end users hardware it's going to 262 00:25:35,800 --> 00:25:39,280 be running on their computer or their mobile phone or whatever you're not 263 00:25:39,280 --> 00:25:44,440 paying for that compute capacity but or you're paying for is the data that 264 00:25:44,440 --> 00:25:49,990 back-end being that dynamodb database and they're accessing that directly 265 00:25:49,990 --> 00:25:53,590 without any ec2 instances without anything like that in front of it 266 00:25:53,590 --> 00:25:59,620 they're accessing that directly and doing that extremely securely as well so 267 00:25:59,620 --> 00:26:03,909 that brings us to the end of a pretty good lab I think and what we need to do 268 00:26:03,909 --> 00:26:08,649 now is to clean it all up so the first thing we will do is that we will delete 269 00:26:08,649 --> 00:26:20,919 this table so when that's chugging away we then need to disable this CloudFront 270 00:26:20,919 --> 00:26:26,740 distribution so that will take a while to disable so once it's disabled then we 271 00:26:26,740 --> 00:26:31,630 can go back in there and we will be over this delete will be will be highlighted 272 00:26:31,630 --> 00:26:36,340 so we can delete it that'll take about 15 minutes or so and we just delete this 273 00:26:36,340 --> 00:26:38,700 bucket 274 00:26:51,200 --> 00:26:55,679 okay so that's all cleaned up and I look forward to seeing you in the 275 00:26:55,679 --> 00:26:58,279 next lab