Step 1. (Option 2) Launch the stack in AWS China Regions - Data Transfer Hub
PrerequisitesDeploy the AWS CloudFormation template for Option 2 – AWS China Regions

Step 1. (Option 2) Launch the stack in AWS China Regions

Important

The following deployment instructions apply to AWS China Regions only. For deployment in AWS Regions refer to Option 1.

Prerequisites

  1. Create an OIDC User Pool.

  2. Configure domain name service (DNS) resolution.

  3. Make sure a domain registered by ICP is available.

Prerequisite 1: Create an OIDC user pool

In AWS Regions where Amazon Cognito is not yet available, you can use OIDC to provide authentication. The following procedure uses AWS Partner Authing as an example, but you can also choose any available provider.

  1. Go to the Authing console.

  2. Create a new user pool if you don’t have one.

  3. Select the user pool.

  4. On the left navigation bar, select Self-built App under Applications.

  5. Click the Create button.

  6. Enter the Application Name, and Subdomain.

  7. Save the App ID (that is, client_id) and Issuer to a text file from Endpoint Information, which will be used later.

    Endpoint Information table showing App ID and Issuer fields highlighted in red boxes.

  8. Update the Login Callback URL and Logout Callback URL to your ICP recorded domain name.

    Authentication configuration form with subdomain, login, and logout callback URL fields.

  9. Set the Authorization Configuration.

    Authorization flow settings with authorization_code and code selected, RS256 algorithm, and no client verification.

  10. Update login control.

    1. Select and enter the Application interface from the left sidebar, select Login Control, and then select Registration and Login.

    2. Please select only Password Login: Email for the login method.

    3. Please uncheck all options in the registration method.

    4. Select Save.

  11. Create an admin user.

    1. From User & Roles, select Users, then choose Create user.

    2. Enter the email for the user.

    3. Choose OK.

    4. Check the email for a temporary password.

    5. Reset the user password.

    Note

    Because the Guidance does not support application roles, all the users will receive admin rights.

Prerequisite 2: Configure domain name service resolution

Configure domain name service (DNS) resolution to point the ICP licensed domain to the CloudFront default domain name. Optionally, you can use your own DNS resolver.

The following is an example for configuration an Amazon Route 53.

  1. Create a hosted zone in Amazon Route 53. For more information refer to the Amazon Route 53 Developer Guide.

  2. Create a CNAME record for the console URL.

    1. From the hosted zone, choose Create Record.

    2. In the Record name input box, enter the host name.

    3. From Record type select CNAME.

    4. In the value field, enter the CloudFormation output PortalUrl.

    5. Select Create records.

  3. Add alternative domain names to the CloudFront distribution.

    1. Configure the corresponding domain name in CloudFront to open the CloudFront console by finding the distribution ID for PortalURL in the list and selecting ID (or check the check box, and then select Distribution Settings).

    2. Edit the distribution and add the Route 53 record to the alternative domain Names (CNAMEs).

Deploy the AWS CloudFormation template for Option 2 – AWS China Regions

This automated AWS CloudFormation template deploys Data Transfer in the AWS Cloud. You must Create an ODIC User Pool and Configure DNS resolution before launching the stack.

Note

You are responsible for the cost of the AWS services used while running this Guidance. For more details, visit the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this Guidance.

  1. Sign in to the AWS Management Console and select the button to launch the DataTransferHub-openid.template AWS CloudFormation template. Alternatively, you can download the template as a starting point for your own implementation.

    Blue oval button with white text reading "Launch solution".

  2. The template launches in your console’s default Region. To launch the Guidance in a different AWS Region, use the Region selector in the console navigation bar.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your Guidance stack. For information about naming character limitations, refer to IAM and AWS STS quotas in the AWS Identity and Access Management User Guide.

  5. Under Parameters, review the parameters for this Guidance template and modify them as necessary. This Guidance uses the following default values.

    Parameter Default Description
    OidcProvider <Requires input> Refers to the Issuer shown in the OIDC application configuration.
    OidcClientId <Requires input> Refers to the App ID shown in the OIDC application configuration.
    OidcCustomerDomain <Requires input> Refers to the customer domain that has completed ICP registration in China, not the subdomain provided by Authing. It must start with https://.
    AdminEmail <Requires input> Refers to the email for receiving task status alarm.

  6. Choose Next.

  7. On the Configure Stack Options page, keep the default values and choose Next.

  8. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create IAM resources.

  9. Choose Create Stack to deploy the stack.

You can view the status of your stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 15 minutes.