Contact Us

aws rabbitmq integration featured image with rabbit mascot

How to Set Up RabbitMQ with Amazon Web Services Cognito

Introduction

RabbitMQ is a robust messaging broker used in a wide variety of applications. When running services on AWS or considering a migration, integrating RabbitMQ with AWS Cognito for authentication is a logical step. Cognito supports OAuth 2.0, an industry-standard protocol for authorization, allowing you to transition from manual credential management in RabbitMQ to a more modern, secure system.

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access that user account.

This guide is aimed at developers looking to connect RabbitMQ with AWS Cognito. No deep knowledge of either is required—just follow the steps, and you’ll have a secure, scalable authentication system set up in no time.

Learn the difference between RabbitMQ and AWS SQS

Why Integrate with Cognito?

  1. Consistency: If you’re already using Cognito for other apps, this keeps everything uniform across your AWS ecosystem.
  2. Security: OAuth 2.0 is secure, scalable, and follows best practices for managing authentication and authorization.
  3. Less Maintenance: Leverage AWS’s managed user authentication service and save time compared to building and maintaining your own system.
  4. Scalability: Cognito can handle authentication for millions of users, making it suitable for growing applications.
  5. Features: Benefit from Cognito’s additional features like multi-factor authentication and social identity providers.
  6. If you’re modernizing your RabbitMQ deployment or planning to migrate to AWS, integrating RabbitMQ with Cognito streamlines authentication processes, enhancing security and reducing administrative overhead.

If you’re modernizing your RabbitMQ deployment or planning a move to AWS, this integration will save time and headaches in the long run. When deploying RabbitMQ on AWS, it’s advisable to distribute your nodes across multiple availability zones. This strategy enhances high availability by ensuring that the failure of a single zone doesn’t compromise the entire messaging system. Additionally, each node will have a unique endpoint, which applications can use to connect to the RabbitMQ cluster.

Prerequisites

Before we begin, ensure you have the following:

  • An AWS account with access to Cognito
  • RabbitMQ (version 3.9 or newer) installed and running
  • Basic knowledge of editing configuration files, specifically the `rabbitmq.conf` file
  • Familiarity with command-line operations
  • SSL/TLS certificates for securing connections (optional but recommended)

Step 1: Setting Up AWS Cognito

Create a User Pool

  1. Log in to the AWS Console and navigate to Cognito. 
AWS Congnito integration with RabbitMQ screenshot
  1. Click “Create User Pool”.
Create user pool in Amazon Cognito screenshot
  1. Configure sign-in options:
    • Choose “Email” and “User name” for sign-in options.
    • Set password policies as per your application needs.
Set up your application
  1. Click “Create Pool” to save your settings.
Set up your application in Amazon Cognito screenshot
  1. Customize the pool name by clicking “Rename” in the upper right corner.
Customizations in Amazon Cognito
  1. Enter your pool name and click “Save”.
Entering user pool in AWS Cognito

Create an App Client

  1. Go to your User Pool.
Creating and app client in Amazon Cognito screenshot
  1. Navigate to “App Clients” and click on your app client’s name.
App clients and analytics settings in Amazon Cognito
  1. Click “Edit” in the right-hand corner.
App Client Dashboard in Amazon Cognito
  1. Enable OAuth 2.0 and select the Authorization Code Grant flow.
    • We choose this flow because it’s secure and suitable for server-side applications like RabbitMQ.
Editing app client information in AWS
  1. Click “Save Changes”.

Manage Login page 

  1. Click on the “Login pages” tab.
Edit managed login pages configuration in Amazon Cognito
  1. Add a callback URL like `https://localhost:15672` for RabbitMQ, or use your actual domain if applicable.
  2. Under OpenID Connect scopes, use the default scopes: `openid` and `profile`. These are compatible with RabbitMQ’s defaults, simplifying our setup.
  3. Save and make note of the App Client ID and Secret. You’ll need these for RabbitMQ configuration.

Add Resource Servers and Scopes

  1. In the Domain section, create a Resource Server.
Domain settings in Amazon Cognito
  1. Set the identifier to `rabbitmq` and give it a name like “RabbitMQ Integration” or simply “rabbitmq”.
Create resource server in Amazon cognito
  1. Click “Create resource server”.
Successfully creating domain in Amazon Cognito

Create User

  1. Under management, click on “Users” and “Create user”.
Under management, click on “Users” and “Create user” in AWS RabbitMQ
  1. Add the username and set a password, then click on “Create user”.
Creating users in amazon cognito
user creation confirmation in amazon cognito

Create Groups and add Users

  1. Create a Group and name it ‘rabbitmq.tag:administrator’.
    • In Cognito, groups don’t need explicit permissions assigned—the group name itself represents the permission.
create groups in amazon cognito
group creation confirmation in aws rabbitmq
  1. Add users to the group:
    • Go to the group we just created.
adding more groups in amazon cognito
  • Click on “Add user”.
amazon cognito dashboard with group section
  • Select the user(s) you want to add.
amazon cognito dashboard
  • Click “Add user”.
group administrator in amazon cognito

Step 2: Configuring RabbitMQ

Update rabbitmq.conf

Add the following lines to your RabbitMQ configuration file (`rabbitmq.conf`) to configure your broker instance effectively. Proper configuration of each node is crucial for maintaining high availability and optimal performance. The location of this file varies by operating system, but it’s typically found in `/etc/rabbitmq/` on Linux systems.

# Enable the OAuth 2.0 authentication backend
auth_backends.1 = oauth2

# OAuth 2.0 specific configuration
auth_oauth2.jwks_url = https://cognito-idp.eu-west-2.amazonaws.com/<User pool ID>/.well-known/jwks.json
auth_oauth2.issuer = https://cognito-idp.eu-west-2.amazonaws.com/<User pool ID>
auth_oauth2.resource_server_id = rabbitmq
auth_oauth2.additional_scopes_key = cognito:groups
auth_oauth2.verify_aud = false
auth_oauth2.preferred_username_claims.1 = username

# Management Plugin OAuth 2.0 configuration
management.oauth_enabled = true
management.oauth_client_id = 52snrhj4aaifuegklalcohkokn
management.oauth_client_secret = 3f1ceskj3rk3vrefmp7oocckcgabv8ipcddgkeenm9hspubmfe3
management.listener.ssl = true
management.oauth_disable_basic_auth = false

# RabbitMQ Core Configurations
loopback_users = none

# Optional: TLS settings for securing connections (if needed)
ssl_options.cacertfile = /opt/rabbitmq/configs/amz_cognito/etc/rabbitmq-ca.crt
ssl_options.certfile = /opt/rabbitmq/configs/amz_cognito/etc/rabbitmq.crt
ssl_options.keyfile = /opt/rabbitmq/configs/amz_cognito/etc/rabbitmq.key
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
ssl_options.client_renegotiation = false
ssl_options.secure_renegotiate = true
ssl_options.honor_ecc_order = true
ssl_options.honor_cipher_order = true

Quick Breakdown of the main keys:

  • auth_backends.1 = oauth2: Configures RabbitMQ to use OAuth 2.0 for authentication.
  • auth_oauth2.resource_server_id = rabbitmq: Matches the identifier from your Cognito Resource Server.
  • auth_oauth2.verify_aud = false: Skips audience validation since Cognito tokens don’t include aud by default.
  • auth_oauth2.preferred_username_claims.1 = username: Ensures the username claim is used instead of an auto-generated UUID.

Restart RabbitMQ

After saving the changes, restart RabbitMQ to apply the configuration:

How It Works

  1. User Logs In: A user attempts to log in to RabbitMQ, typically via the management UI.
  1. Redirect to Cognito: RabbitMQ redirects the user to the Cognito-hosted login page.
signing in to cognito hosting server
  1. User Authenticates: The user enters their credentials, and Cognito issues an access token.
  2. Token Returned to RabbitMQ: Cognito redirects back to RabbitMQ with an access token.
  3. RabbitMQ Validates Token: RabbitMQ uses the OAuth 2.0 backend to validate the token and assign permissions to access specific queues based on token claims, including group memberships.
  4. User Permissions Applied: Based on the token claims (e.g., group memberships), RabbitMQ assigns the appropriate permissions to the user, enabling them to access the management UI as needed.
RabbitMQ dashboard overview

Note: Your OAuth2 users will not be visible under Admin -> User in the RabbitMQ management interface. This is because they are authenticated externally through Cognito.

RabbitMQ dashboard with user section

Troubleshooting

Here are some common troubleshooting issues you might encounter and how to resolve them:

UUID Instead of Username?

If you see UUIDs instead of usernames, add this to `rabbitmq.conf`:

auth_oauth2.preferred_username_claims.1 = username

Authentication Fails Because of Missing aud?

Set this in rabbitmq.conf:

auth_oauth2.verify_aud = false

Other Issues?

  1. Check RabbitMQ logs at `/var/log/rabbitmq/` for any error messages. Look for lines containing “oauth” or “authentication” to identify relevant issues.
  2. Use an online JWT decoder to inspect tokens issued by Cognito and verify that the claims (e.g., username) are correct.
  3. Ensure that the Cognito User Pool and App Client settings match your RabbitMQ configuration.
  4. Verify that the user is a member of the correct Cognito group that maps to RabbitMQ permissions.

Best Practices

  1. Always use HTTPS: Protect all communications to prevent token interception.
  2. Rotate Secrets Regularly: Periodically update your Cognito App Client secret.
  3. Align Roles and Permissions: Match RabbitMQ roles with your organization’s security policies for optimal control.
  4. Implement Logging and Monitoring: Set up comprehensive logging for both RabbitMQ and Cognito to track authentication attempts and issues.
  5. Use Multi-Factor Authentication: Enable MFA in Cognito for an extra layer of security.
  6. Regular Updates: Keep both RabbitMQ and your AWS services up to date to benefit from the latest security patches and features.
  7. Least Privilege Principle: Assign the minimum necessary permissions to users and groups.

Security Considerations

  1. Token Handling: Ensure that access tokens are securely handled and never logged or exposed.
  2. HTTPS: Always use HTTPS for all communications between RabbitMQ, clients, and Cognito.
  3. Client Secret: Store the client secret securely and consider using AWS Secrets Manager for added security.
  4. Group Limitations: Limit the groups assigned to a user in Cognito to only what’s necessary.
  5. Regular Audits: Periodically review user access and permissions in both Cognito and RabbitMQ.

Wrap-Up

Integrating RabbitMQ with AWS Cognito is an effective way to modernize your authentication system. By following these steps, you’ll have a scalable, secure setup that leverages AWS’s infrastructure effectively. This solution is ideal if you’re already on AWS or looking to simplify user management within RabbitMQ.

Next steps to consider:

  1. Implement monitoring and alerting for authentication failures.
  2. Explore advanced Cognito features like social identity providers or custom authentication flows.
  3. Consider integrating with other AWS services for a more comprehensive cloud-native solution.
Thomas Bhatia - RabbitMQ Consultant, Seventh State

“Remember, while this setup significantly improves security, always stay updated on the latest security best practices and regularly review your configuration to ensure it meets your evolving needs.”

Thomas Bhatia
RabbitMQ Consultant | Seventh State

Discover more from SeventhState.io

Subscribe now to keep reading and get access to the full archive.

Continue reading