AWS ALB Proxy Provider
Backstage can be deployed behind AWS Application Load Balancer and get the user seamlessly authenticated.
Configuration
The provider configuration can be added to your app-config.yaml
under the root
auth
configuration, similar to the following example:
auth:
providers:
awsalb:
# this is the URL of the IdP you configured
issuer: 'https://example.okta.com/oauth2/default'
# this is the ARN of your ALB instance
signer: 'arn:aws:elasticloadbalancing:us-east-2:123456789012:loadbalancer/app/my-load-balancer/1234567890123456'
# this is the region where your ALB instance resides
region: 'us-west-2'
## uncomment to set lifespan of user session
# sessionDuration: { hours: 24 } # supports `ms` library format (e.g. '24h', '2 days'), ISO duration, "human duration" as used in code
signIn:
resolvers:
# See https://backstage.io/docs/auth/aws-alb/provider#resolvers for more resolvers
- resolver: emailMatchingUserEntityProfileEmail
Ensure that you have set the signer correctly. It is also recommended that you restrict your target groups' security policy to only accept connections from that ALB.
Optional
sessionDuration
: Lifespan of the user session.
Resolvers
This provider includes several resolvers out of the box that you can use:
emailMatchingUserEntityProfileEmail
: Matches the email address from the auth provider with the User entity that has a matchingspec.profile.email
. If no match is found, it will throw aNotFoundError
.emailLocalPartMatchingUserEntityName
: Matches the local part of the email address from the auth provider with the User entity that has a matchingname
. If no match is found, it will throw aNotFoundError
.
The resolvers will be tried in order but will only be skipped if they throw a NotFoundError
.
If these resolvers do not fit your needs, you can build a custom resolver, this is covered in the Building Custom Resolvers section of the Sign-in Identities and Resolvers documentation.
Backend Installation
To add the provider to the backend, we will first need to install the package by running this command:
yarn --cwd packages/backend add @backstage/plugin-auth-backend-module-aws-alb-provider
Then we will need to add this line:
backend.add(import('@backstage/plugin-auth-backend'));
backend.add(import('@backstage/plugin-auth-backend-module-aws-alb-provider'));
Adding the provider to the Backstage frontend
See Sign-In with Proxy Providers for pointers on how to set up the sign-in page and also make it work smoothly for local development. You'll use awsalb
as the provider name.
If you provide a custom sign in resolver, you can skip the signIn
block entirely.