Tutorial Launch Saleable Streamlit dashboards @ AWS — part 5

Deploy a professional streamlit/python solution launched at Amazon AWS with S3, Fargate, Cognito

M. the German Engineer
6 min readJan 3, 2022

In the last part we want to integrate user authentication for our web service. This is important because in data science we deal with sensible customer data.

Overview of the tutorial parts:
- introduction of this tutorial (part 0)
- using a file in streamlit saved in AWS and upload a new one (part 1)
- make a docker container and uploading to AWS ECS (part 2)
- launching this container as a fargate service (part 3)
- connecting the service to your Route53 hosted zone (part 4)
- integrating authentication with Cognito (part 5)
- bonus session: using the streamlit upload button for saving files at AWS S3 — after 100 claps
- bonus session: integrate prophet in streamlit and host it — after 200 claps

What we want to do here?

We want to replace the routing and enable secure https routing. So final it should look like in the picture. This is important to use a state of the art authentication for our customer data and web service. Cognito has a perfect web service with password policies, MFA, customable UI etc.

Start with a User Pool

At the beginning we will start with creating a new user pool. So search for Cognito and “Manage User Pools”

After this click on the top/right at “Create a user pool” and the work will beginn. We give it a name and choose the “Step through settings”

Here we can insert the policy of the username and the necessary attributes.

In the following screens after clicking next will use the default settings for the beginning so click on “next step” after this ones:

  • password policy
  • Multi-Factor-Authentification
  • modify the notification of the potential users
  • Tags
  • Do you want to remember your user’s devices?

Now we should arrive at the app client. Here we click on “Add app client” and a form will appear. Here we give it a name and and click “create app client” and “Next step”

At the triggers page we don’t have to change anything and click on next. The review page we can approve and the following screen will appear.

Now we need the “App client settings”- form so please open it. Here we have to insert the Callback URL and the sign out URL. Don’t miss to check “Authorization code grant” and “openid” and save the changes.

At last step we have to create a domain name. So choose the right point at the left hand side and add a custom domain.

Create a sample user

For testing we need a sample user. So click on “Users and groups” and add a new user

Creating a https-connection

All work we have done in the moment isn’t connected to our web service at the moment. So we have to integrate it now and cut the ways without authentification. For this we will go to EC2, select “load balancer” on the right hand side and select “Listeners”. Now we click on “add listener”

Here we change to “HTTPS” and click on “Add action” and “Forward to”. Here we choose our target group of part 3/4.

Scrolling down we use the default SSL-certificate. If you don’t have one request it — should be 2min work. After this click “Add” and “View listeners”

So now we can see that we created a second listener on https — here we want to integrate our authentication now. But wait there is a problem AWS shown us. When we go to the sign the message appear “The security group for your load balancer (sample-load-balancer-secgroup) does not allow traffic on this listener port.” Mmmm that’s right so we have to solve it ….

So we click on the orange link and we will land at the overview of the security groups. At the right security group we click on “Edit inbound rules”

Now we add an rule to allow the insert traffic of https-connection and click “Save rules”

Before the integration of the user pool we check if the https-connection works. So open a browser and typing https://sample.mlichy-ing.de — everything works now!

Integration of the user pool in the https-connection

Therefore we need the overview of the load balancers. We click on the https-listener on “View/edit rules”.

Click first on the pen at the top and then on the pen of the existing rule

Then delete the “Forward to” — rule and add as action “Authentication”. Here we add the right User Pool-ID, add the created app client and approve it. After this we add as action “Forward to” and choose the target group. At last step here we click on “Update”.

So we will check it again with pen a browser and typing https://sample.mlichy-ing.de — now a authentication screen will appear and we have to insert the username/password.

So everything works fine and we are finished or? Mmmm we have to change the http-connection because this forwards directly to the web service without authentication…

Editing the http-connection

We start again on the overview of the listeners at the load balancer. But here we click for the http-connection on “View/edit rules”.

Here we click again on the pen at the top and then at the existing rule. Now we delete the “Forward to” rule and replace it with “Redirect to” and add the right port. After updating we are completed!

What we have done?

We used Cognito for creating a state of the art authentication for our web server. Now we have a complete running web service with a streamlit app hosted at AWS.

Please

Give me some claps and follow me for more tutorials and stories!

--

--

M. the German Engineer
M. the German Engineer

Written by M. the German Engineer

Mechanical engineer, Future worker, Data scientist, Project manager, Systems engineer

Responses (1)