AWS Cognito

This section will guide you through using AWS Cognito as an OIDC provider for Kubeflow.

What You’ll Need


  1. Sign in to the AWS Management Console.

  2. Click on the All services dropdown menu.

  3. Under the Security, Identity, & Compliance click on the Cognito tab.

  4. Click on the Manage User Pools button.

  5. Click on the Create a user pool button.

  6. Give a name for your user pool, for example Kubeflow.

  7. Click on the Step through settings button.

  8. Configure the Attributes of your user pool:

    1. Select the Email address or phone number with the preset option Allow email addresses.
    2. Select the following standard required attributes: email, profile, and preferred_username.
    3. Click the Next Step button.
  9. Configure the Policies of your user pool:

    1. Select the Only allow administrators to create users option.

    2. Click the Next step button.

  10. Configure the MFA and verification settings of your user pool:

    1. Select the None - users will have to contact an administrator to reset their passwords option.

    2. Click the Next step button.

  11. For the next configuration steps click the Next step button until you reach the Review configuration step.

  12. Click on the Create pool button.

  13. After successfully creating your user pool you will see a summary of your configurations. Take a note of the Pool Id, for example: us-east-2_UgEiFbZCm.

  14. Under the General settings section, select the App clients tab and click on the Add an app client button.

  15. For your new AWS Cognito client application:

    1. Enter a name of your application rok-<CLUSTER_REGION>-<CLUSTER_NAME>-authservice, replace:

      • <CLUSTER_REGION> with the region of your cluster, for example us-east-2.
      • <CLUSTER_NAME> with the name of your cluster, for example arrikto-cluster.
    2. Set the desired expiration times for your refresh, access and ID tokens.


      The expiration of both access and ID tokens cannot be greater than the refresh token expiration.

    3. Ensure that the Generate client secret option is selected.

    4. Under the Auth Flows Configuration section, ensure that the Enable refresh token based authentication option is enabled.

    5. Under the Advanced token settings section, ensure that the Enable token revocation option is enabled.

    6. Click on the Create app client button.

  16. Click on the Show details button.

  17. Take note of the App client id and the App client secret. Copy these values to your clipboard, as you are going to use them in later steps.

  18. Go to the App integration section and select the App client settings tab.

    1. In the Enabled Identity Providers section, enable the Cognito User Pool option.

    2. In the Sign in and sign out URLs section, define the Callback URL(s) as such https://<FQDN>/authservice/oidc/callback.

      Replace <FQDN> with the fully qualified domain name (FQDN) for your cluster, for example



      If you have deployed EKF on AWS EKS, you can check the FQDN for your cluster by following the procedure:

      1. Go to your GitOps repository, inside your rok-tools management environment:

        root@rok-tools:~# cd ~/ops/deployments
      2. Restore the required context:

        root@rok-tools:~/ops/deployments# source deploy/env.eks-alb-acm
      3. Print the FQDN for your cluster:

        root@rok-tools:~/ops/deployments# echo $EKS_ALB_ACM_SUBDOMAIN
    3. In the OAuth 2.0 section enable the Authorization code grant flow, and the following OAuth scopes:

      • email
      • openid
      • profile
    4. Click on the Save changes button.

  19. In the App integration section, click on the Domain name tab.

    1. Give a domain name prefix rok-<CLUSTER_REGION>-<CLUSTER_NAME>-authservice, for example rok-us-east-2-arrikto-cluster-authservice.

    2. Click the Check availability button to ensure that your domain is unique.

    3. Click on the Save changes button.

  20. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  21. Specify the pool ID of your user pool:

    root@rok-tools:~/ops/deployments# export POOL_ID=<POOL_ID>

    Replace <POOL_ID> with the value that you copied in step 13.

  22. Specify the region of your user pool:

    root@rok-tools:~/ops/deployments# export REGION=$(echo $POOL_ID | cut -d _ -f1)
  23. Specify the client ID:

    root@rok-tools:~/tools/deployments# export OIDC_CLIENT_ID=<CLIENT_ID>

    Replace <CLIENT_ID> with the client ID you copied in step 17.

  24. Specify the client secret:

    root@rok-tools:~/tools/deployments# export OIDC_CLIENT_SECRET=<CLIENT_SECRET>

    Replace <CLIENT_SECRET> with the client secret you copied in step 17.

  25. Render the AuthService credentials:

    root@rok-tools:~/tools/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env
  26. Set the public URL of your EKF installation:

    root@rok-tools:~/tools/deployments# export FQDN=<FQDN>

    Replace <FQDN> with your installation’s public URL. For example:

    root@rok-tools:~/ops/deployments# export
  27. Set the public URL of your AWS Cognito user pool:

    root@rok-tools:~/tools/deployments# export OIDC_PROVIDER=https://cognito-idp.${REGION?}${POOL_ID?}
  28. Configure AuthService to convert user emails to usernames:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@<DOMAIN>", "replaces": "" }]'

    Replace <DOMAIN> with the domain of your organization. For example:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@example\\.com", "replaces": "" }]'

    Make sure to include \\. With this example domain, AuthService will convert user IDs like into user.


    USERID_TRANSFORMERS accepts a JSON formatted list of user ID transformation rules with the following format:

    USERID_TRANSFORMERS=[{"matches": "regex", "replaces": "value" }]

    AuthService will transform the user ID by finding the first transformation rule that matches regex and replacing it with value.

  29. Set the AWS Cognito settings and render the AuthService configuration:

    root@rok-tools:~/ops/deployments# export USERID_CLAIM=preferred_username root@rok-tools:~/ops/deployments# export OIDC_SCOPES=profile,email,openid root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=https://${FQDN?}/authservice/ root@rok-tools:~/ops/deployments# export TEMPLATE_PATH='' root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env
  30. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Use the AWS Cognito OIDC provider for Kubeflow authentication"
  31. Apply the manifests:

    root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/common/oidc-authservice/overlays/deploy
  32. Restart the Pods manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice


  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
  2. Log in with your AWS Cognito credentials at https://<FQDN>, where <FQDN> is the public URL of your EKF installation. For example,


You have successfully configured your EKF installation to allow users to login with their AWS Cognito credentials.

What’s Next

Check out the rest of the services you can integrate Arrikto EKF with.