Stage 2 — Cognito Setup
How to complete this stage
Clone the ianode-access repository and start the local Cognito emulator used for identity and attribute resolution.
Approach and rationale
This stage provides a local identity provider that issues login tokens for test users. These tokens are later used by the IA node to:
- Verify who is making each request
- Validate JWT signatures
- Resolve user attributes
- Enforce attribute-based access control (ABAC)
Using Cognito Local ensures that authentication and attribute resolution can be tested without relying on external AWS services.
2.1 Clone the repository
This repository contains the local identity and access services used by the IA node, including:
- Cognito emulator configuration
- User and group initialisation scripts
- Attribute resolution APIs
From your working directory (for example ~/src):
2.2 Start Cognito Local
This starts a local identity provider that issues login tokens for test users. The IA node will later use these tokens to verify who is making each request.
Navigate to the Cognito Local directory:
Start the service:
Wait until logs indicate that Cognito Local is running.
The service should be reachable at http://localhost:9229 (or equivalent such as http://0.0.0.0:9229)
Operational Notes
When calling AWS CLI against Cognito Local, use:
--endpoint-url http://localhost:9229
Do not use --endpoint.
Ensure Docker is running before starting the service. If Docker reports permission errors, ensure your user is in the Docker group and restart your shell.
If the container does not start, inspect logs:
2.3 Checkpoint
At the end of this stage:
- The ianode-access repository is cloned locally.
- Cognito Local is running.
- The service is reachable at http://localhost:9229.
If Cognito Local is not reachable, later authentication steps will fail. Do not proceed until this checkpoint passes.