- TechOps Examples
- Posts
- Designing an AWS Serverless Architecture for SaaS User Authentication
Designing an AWS Serverless Architecture for SaaS User Authentication
Govardhana M K
March 06, 2025
TechOps Examples
Hey β It's Govardhana MK π
Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.
π Before we begin... a big thank you to today's sponsor CAUSELY
[Free Service Reliability Assessment] Is Your Kubernetes Environment Truly Reliable?
Uncover hidden failure points in your critical services with Causelyβs FREE Service Reliability Assessment. Diagnose, remediate, and prevent application degradation in complex cloud-native environments.
What You'll Get:
Service Dependency View: Visualize your key service topology and cause-and-effect relationships.
Reliability Assessment: Evaluate your environment's resilience to application updates and changes.
Recommendations Report: Get actionable insights to prevent SLO violations, from quick wins to strategic improvements.
IN TODAY'S EDITION
π§ Use Case
Designing an AWS Serverless Architecture for SaaS User Authentication
π Top News
π Remote Jobs
Canonical is hiring a Site Reliability Engineer
Remote Location: Worldwide
KodeKloud is hiring a Junior DevOps Labs Engineer
Remote Location: India
ποΈ Resources
π’ Reddit Threads
π οΈ TOOL OF THE DAY
kluctl - A unified command-line interface to manage large Kubernetes deployments, integrating tools like Kustomize and Helm.
Centered around "targets," Kluctl facilitates deploying, diffing, and pruning across clusters or environments and provides a Web UI for visualization and control.
π§ USE CASE
Designing an AWS Serverless Architecture for SaaS User Authentication
Building authentication for a SaaS app means handling sign ups, verifying users, managing permissions, and connecting with marketing tools (all while keeping it scalable, secure, and cost effective).
A serverless approach using AWS services like Cognito, Lambda, DynamoDB, and SES provides an event driven, fully managed authentication flow.
Let's break it down.
Download a high resolution copy of this diagram here for future reference.
Services in Designing the Architecture
Amazon Cognito β User authentication and identity management.
AWS Lambda β Serverless functions to handle business logic.
Amazon DynamoDB β Stores user permissions and associated domains.
Amazon SES β Sends transactional emails for account notifications.
Third party marketing tools β Mailchimp, HubSpot, Beehiiv, ConvertKit etc.,
ABCβs of Authentication Flow and Logic
A. User Sign Up & Confirmation Process
Step 1: User Registration (AWS Cognito)
A user signs up via Cognito User Pool, providing email, password, and any required attributes (e.g., name, company, etc.).
Cognito sends a confirmation email (default) or an SMS OTP for account verification.
Upon successful verification, Cognito triggers the Post Confirmation Lambda (
confirmUser).
Step 2: Post Confirmation Trigger β Processing New Users
Once Cognito confirms the user, AWS invokes the Post Confirmation Lambda (confirmUser), which:
Writes user details to DynamoDB (Permissions Table).
Associates the user with domains (if applicable).
Sends a transactional email via SES, welcoming the user.
Syncs the user email to marketing platforms (Mailchimp, HubSpot, etc.), if the user opted in.
B. User Login & Token Generation Process
Step 1: User Logs In
The user logs in with their Cognito credentials.
Cognito verifies the password, generates a JWT token, and triggers the Pre Token Generation Lambda (
generateToken).
Step 2: Pre Token Generation Trigger β Injecting Custom Claims
The generateToken Lambda is responsible for enhancing the JWT token with additional information:
Fetches user role & permissions from DynamoDB (Permissions Table).
Reads associated domains from DynamoDB (Domains Table).
Modifies the JWT token, adding:
Custom Claims (
role,permissions,domains).This allows applications to make authorization decisions without extra API calls.
Why is this necessary?
Instead of querying DynamoDB on every API request, the token already contains what the app needs, thus improving performance.
C. Handling Authenticated API Requests
Once logged in:
The user includes the JWT token in requests to protected APIs.
The backend validates the token against Cognito.
APIs check custom claims (permissions, roles, domains) embedded in the token to enforce access control.
Architecture decisions are subjective. What works for one team might not work for another. Think it through before committing to any design (including mine here).
Not a joke, many DevOps engineers donβt fully understand the difference between a conventional CI/CD pipeline and a Kubernetes CI/CD pipeline.
Here, Iβve made this to help you better understand.
40K+ read my free weekday daily TechOps Examples newsletter:β¦ x.com/i/web/status/1β¦
β Govardhana Miriyala Kannaiah (@govardhana_mk)
3:01 PM β’ Mar 4, 2025
I run a DevOps and Cloud consulting agency and have helped 17+ businesses, including Stanford, Hearst Corporation, CloudTruth, and more.
When your business needs my services, book a free 1:1 business consultation.
You may even like: