Launch within VPC
Time to deploy: Approximately 30 minutes
Prerequisites
Review all the considerations and make sure you have the following in the target region you want to deploy the solution:
- At least one Amazon VPC.
- At least two private (with NAT gateways or instances) subnets across two AZs.
Deployment Overview
Use the following steps to deploy this solution on AWS.
Step 3. Update the callback url of OIDC client
Step 4. Launch the web console
Step 1. Create OIDC client
You can use existing OpenID Connect (OIDC) provider or following this guide to create an OIDC client.
Tip
This solution deploys the console in VPC without requiring SSL certificate by default. You have to use an OIDC client to support callback url with http
protocol.
Step 2. Launch the stack
-
Sign in to the AWS Management Console and use the button below to launch the AWS CloudFormation template.
Launch in AWS Console Launch in AWS Regions Launch in AWS China Regions -
The template is launched in the default region after you log in to the console. To launch the Clickstream Analytics on AWS solution in a different AWS Region, use the Region selector in the console navigation bar.
- On the Create stack page, verify that the correct template URL shows in the Amazon S3 URL text box and choose Next.
- On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and AWS STS quotas in the AWS Identity and Access Management User Guide.
-
Under Parameters, review the parameters for the template and modify them as necessary.
- This solution uses the following parameters:
Parameter Default Description VPC ID ( VpcId
)<Requires input>
Select the VPC in which the solution will be deployed. Private Subnet IDs ( PrivateSubnets
)<Requires input>
Select the subnets in which the solution will be deployed. Note: You must choose two subnets across two AZs at least. OpenID Connector Client Id ( OIDCClientId
)<Requires input>
OpenID Connect client Id. OpenID Connector Issuer ( OIDCProvider
)<Requires input>
OpenID Connect provider issuer. The issuer must begin with https://
Admin User Email ( Email
)<Requires input>
Specify the email of the Administrator. This email address will receive a temporary password to access the Clickstream Analytics on AWS web console. You can create more users directly in the provisioned Cognito User Pool after launching the solution. IAM Role Prefix ( IamRolePrefix
)<Optional input>
Specify the prefix for the name of IAM roles created in the solution. IAM Role Boundary ARN ( IamRoleBoundaryArn
)<Optional input>
Specify the permissions boundary for the IAM roles created in the solution. -
Choose Next.
- On the Configure stack options page, choose Next.
- On the Review page, review and confirm the settings. Check the box acknowledging that the template creates AWS Identity and Access Management (IAM) resources.
- Choose Create stack to deploy the stack.
You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 10 minutes.
Step 3. Update the callback URL of OIDC client
- Sign in to the AWS CloudFormation console.
- Select the solution's stack.
- Choose the Outputs tab.
- Obtain the ControlPlaneURL as the endpoint.
- Update or add the callback URL ${ControlPlaneURL}/signin to your OIDC client.
- For Keycloak, add or update the url in Valid Redirect URIs.
- For Authing.cn, add or update the url in Login Callback URL of Authentication Configuration.
Step 4. Launch the web console
Important
Your login credentials is managed by the OIDC provider. Before signing in to the Clickstream Analytics on AWS console, make sure you have created at least one user in the OIDC provider's user pool.
- Because you deploy the solution console in your VPC without public access, you have to setup a network connection to the solution console serving by an internal application load balancer. There are some options for your reference.
- (Option 1) Use bastion host, for example, Linux Bastion Hosts on AWS solution
- (Option 2) Use AWS Client VPN or AWS Site-to-Site VPN
- (Option 3) Use AWS Direct Connect
- The application load balancer only allows the traffic from specified security group, you can find the security group id from the output named SourceSecurityGroup from the stack you deployed in step 2. Then attach the security group to your bastion host or other source to access the solution console.
- Use the previously assigned domain name or the generated ControlPlaneURL in a web browser.
- Choose Sign In, and navigate to OIDC provider.
- Enter sign-in credentials. You may be asked to change your default password for first-time login, which depends on your OIDC provider's policy.
- After the verification is complete, the system opens the Clickstream Analytics on AWS web console.
Once you have logged into the Clickstream Analytics on AWS console, you can start to create a project for your applications.