Amplified bloat?

Posted: 14 January, 2023 Category: backend Tagged: cognitoawsauthamplify

(This was actually from a few months ago but it was sitting in my drafts un-dated).

I'm gonna have an app that will use S3 for user content storage. Cognito's ability to generate temp security creds of the type that AWS Services understand, had me finally grudgingly yielding to the idea of poking around with it. It did not last long. The following is what happened:

emoji-pencil (be logged into your aws management console).

Amplify Tooling

OK so, within a minute of googling for cognito integrations, you run into Amplify. Which is like a dev-friendly sdk/toolkit for talking to AWS and asking it nicely to do things for us. OK So:

  • I installed the CLI first
  • I ran init: amplify init
    • Under the hood, this seemed to yield a CloudFormation stack with the following components:
      UnauthRole                     AWS::IAM::Role                 CREATE_COMPLETE
      AuthRole                       AWS::IAM::Role                 CREATE_COMPLETE
      DeploymentBucket               AWS::S3::Bucket                CREATE_COMPLETE  
    • But what is DeploymentBucket? Did not ask for a deployment bucket. I did not ask for any buckets! Peeked in my S3 console and sure enough, a new bucket. It seemed to just contain stack metadata tho. OK. Fair enough
  • I installed the appropriate amplify libs for my framework - in my case npm install aws-amplify @aws-amplify/ui-react

Wiring in Auth

Steps are here.

  • emoji-warning At the time I did this, the docs did not make it clear what was supposed to be in the config passed to amplify. You can find the config details here, on a whole nother page.
  • emoji-warning it tells you to reference an aws-exports.js file: so it turns out this file is auto-generated for you by Amplify.


OK - this seems pretty cool; lots of heavy lifting done for you via cloudFormation. But:

  • emoji-exclamation no other social auth except for amazon, google, facebook and apple??!! Why would an app developer bother with this?
  • They don't advertise the caveat that once you commit to amplify you have to keep your mitts off the actual aws resources it gives you. I've come across sob stories where ppl touched something in aws ... only to have amplify seize like a hot engine.

Other than that, I dunno. It's... a LOT, you know? I'm also surprised at how long it took to provision initially. Like, what else is being built behind the scenes, and do I really need it? I don't want all the extra stuff. It almost manages to make auth0/okta feel like a more pleasant experience. Not sure...

Otoh, the tooling/cli is nice; it's totally in line with similar tooling for tucking away complexities that most fullstackers don't really want to be dealing with.

Update (Feb 2023) - OK how about rolling your own?

I actually asked someone if they remembered setting up cognito auth in the buff, sans amplify (you have to understand: I have avoided Cognito at every turn). Anyhow: we paired on it and besides a few missteps and UX glitches, we got a user pool up and running (mostly, it has to be said, from what he remembered of it, not what I remembered of it. In fact I was surprised to find an old email for my yebbie project kicking around in Cognito's memory, evidencing that I had been down this road before, before ditching it for auth0. LOL).

Regardless: This was better. Much nicer experience and waaaay less bloated. But now I'd be responsible for the integration and url redirects etc to make everything work with app endpoints. I guess that'll be my next lab on this, but the app in question is no longer a priority right now so...

To be continued.