Skip to content

Modernising Authentication with AWS Cognito

To unify access control, simplify operations, and support multi-environment deployments, we replaced the existing OAuth Proxy with AWS Cognito. This involved adopting AWS-native identity services and integrating Google IdP, creating a centralised and reusable authentication framework that improved security, reduced manual overhead, and enabled scalable access management across workloads.

cloud-computing-ai-concept-with-multiple-blue-3d-icons-digital-transformation-theme-featuring-blue-3d-icons-representing-cloud-computing-ai (1)

Client Overview

The client is a CMS platform provider offering digital solutions for public sector organisations, including local councils and nonprofits. Their modular platform helps institutions improve citizen engagement, accessibility, and digital service delivery. With a growing user base and increasing demands for flexible and secure deployments, the client needed a more scalable and standardised identity management system for its cloud-native workloads.

Public Sector DevOps Solution

Challenge

The client’s existing authentication flow, managed through an OAuth Proxy on AWS EKS, created several functional and architectural limitations. Key challenges included:

Fragmented IAM Strategy

Workloads had separate authentication mechanisms, making it difficult to maintain a unified identity model.

No External IdP Integration

The legacy setup didn’t support Google IdP, limiting flexibility and interoperability for downstream clients.

Inconsistent Multi-Environment Support

There was no parameterised or reusable configuration, which increased overhead for provisioning environments across different clients.

Manual Infrastructure Management

IAM and identity services were not fully managed with Infrastructure as Code, making scaling error-prone and cost harder to control.

Solution

We designed and implemented a reusable AWS Cognito-based authentication architecture, with full Infrastructure as Code automation and multi-environment support.

Cognito Integration and IdP Support

  • Terraform Module with Google IdP: Built a modular Terraform component to provision AWS Cognito, including full Google IdP integration.
  • Single Pool, Multi-App Logins: Leveraged Cognito’s App-Client-Based Multi-Tenancy to support Kubernetes Dashboard, Grafana, AlertManager, and OpenSearch—each with separate callback URLs, all from a single user pool.

Reusable Infrastructure Setup

  • Terragrunt for Scalability: Created parameterised Terragrunt configurations optimised for cross-environment reusability, enabling fast onboarding of new client environments.
  • Code Efficiency: Streamlined the IaC setup to minimise code duplication, ensuring better maintainability and easier updates.

Results

The client’s identity layer is now centralised, secure, and fully automated, providing a scalable foundation for future growth.
054-timer

Unified IAM with One User Pool

Authentication across all workloads now flows through a single, centralised Cognito pool, simplifying governance and user management.

001-cyber security

Improved Reusability and Scale

The Terraform + Terragrunt approach made infrastructure modular and reusable, reducing onboarding time for new environments.

017-deployment-1

External IdP Compatibility

Google IdP support enabled greater flexibility for external identity integrations, improved user access control, and supported future scalability.

010-monitor

DevOps Enablement and Support

Bion provided hands-on support throughout the rollout, including IaC design, implementation, and transition assistance for internal DevOps teams.

Technology Stack

 

To support a scalable and secure identity architecture, the following technologies were used:

  • Authentication: AWS Cognito with Google IdP
  • Infrastructure as Code: Terraform, Terragrunt
  • Container Management: AWS EKS
  • Monitoring & Interfaces: Grafana, AlertManager, Kubernetes Dashboard
  • Search & Analytics: AWS OpenSearch
By transitioning from OAuth Proxy to AWS Cognito, the client now benefits from a cost-efficient, standardised, and scalable authentication framework, purpose-built for the demands of public sector digital platforms.
case study-new relic