Skip to main content
Version: Latest

Configure Amazon Cognito

If your organization uses Amazon Cognito for user authentication, you can configure Rancher to allow login using Amazon Cognito credentials. The following instructions describe how to configure Rancher to work with Amazon Cognito:

Prerequisites

  • In Rancher:
    • Amazon Cognito is disabled.
note

Consult the Amazon Cognito documentation to configure the user pool.

  • In Amazon Cognito:
    • Create a new user pool or use an existing one.
    • In the App client settings, set the redirect URL to https://yourRancherHostURL/verify-auth. Replace yourRancherHostURL with the actual hostname of your Rancher instance (e.g., https://rancher.example.com/verify-auth).

Configuring Amazon Cognito in Rancher

  1. In the upper left corner of the Rancher UI, click ☰ > Users & Authentication.

  2. In the left navigation bar, click Auth Provider.

  3. Select Amazon Cognito.

  4. Complete the Configure an Amazon Cognito account form. For help with filling the form, see the configuration reference.

  5. Click Enable.

    Rancher will redirect you to the Amazon Cognito login page. Enter your Amazon Cognito credentials to validate your Rancher configuration.

    note

    You may need to disable your popup blocker to see the Amazon Cognito login page.

Result: Rancher is configured to work with your Amazon Cognito using the OIDC protocol. Your users can now sign into Rancher using their Amazon Cognito logins.

note

User and group search is not supported for Amazon Cognito. When assigning permissions to a Project or Cluster, you must manually enter the UserID generated by Cognito if the user has not yet logged in to Rancher. However, if the user has previously logged in, you can assign permissions using their username or email address.

Configuration Reference

FieldDescription
Client IDThe Client ID of your Amazon Cognito App Client.
Client SecretThe generated Secret of your Amazon Cognito App Client.
IssuerThe Issuer URL of your Amazon Cognito App Client. It follows the format https://cognito-idp.{region}.amazonaws.com/{userPoolId}, and can be found in the App Client settings page. Rancher uses the Issuer URL to fetch all of the required URLs.

Troubleshooting

You are not redirected to your authentication provider

If you fill out the Configure an Amazon Cognito account form and click on Enable, and you are not redirected to Amazon Cognito, verify your Amazon Cognito configuration.