Sign in

AWS Step Functions is a powerful orchestration service that lets you model even the most complex business workflows. It packs a great visualization tool (which you can also use to design your workflows visually now!) and can integrate with many AWS services directly, including Lambda, DynamoDB, and API Gateway.

It’s one of my favorite AWS services and I often use it to model complex or business-critical workflows. However, a common challenge newcomers struggle with Step Functions is how do you go about testing them?

In this post, let’s talk about the challenges with testing Step Functions, the failure modes that…

With API Gateway and Lambda, you can handle client errors gracefully by returning a 4xx response.

module.exports.handler = async (event) => {
// run validation logic
return {
statusCode: 400

This way, we can communicate clearly to the client that there’s a problem with its request. It also lets the Lambda invocation complete successfully, so the invocation doesn’t count as erroneous. This means it wouldn’t trigger any error alerts you have on your Lambda functions.

Unfortunately, when it comes to AppSync and Lambda, we don’t have this ability anyway. …

It’s been two years since I last wrote about Lambda layer and when you should use it. Most of the problem I discussed in that original post still stands:

  • It makes it harder to test your functions locally. You will still need those dependencies to execute your function code locally as part of your tests.
  • There is no semantic versioning. The only way to simulate this is through some clever wrapping via SAR.
  • It doesn’t work with statically compiled languages.
  • It (probably) doesn’t work with static analyzers that check your code and your dependencies for vulnerabilities.
  • You can only have…

An interesting question came up in a conversation today:

“How should I manage the Route53 DNS records in a multi-account environment?”

Suppose you have configured an AWS Organization with different accounts for dev, staging and production environments. And you have registered the root domain for your application in the master AWS account.

When working with CloudFront or API Gateway, you often need to issue ACM (Amazon Certificate Manager) certificates in order to use custom domain names.

To verify the ACM certificate request, you can add a CNAME record to the Route53 hosted zone. *You can use email verification too, but…

In the last post I discussed my preferred approach for modelling multi-tenant applications with AppSync and Cognito. This approach supports the common requirements in these applications, where there are a number of distinct roles within each tenant.

This approach (and others like it) works great when the tenants are isolated. But what if they are not? What if the tenants fall into an organizational hierarchy?

Thank you to Josh for asking this question on the AppSync Masterclass forum. His original question goes like this:

Let’s say I want to add a one-to-many relationship from Profile to a new property called “Tag” (a complex object with “name” and “color” properties) so a user can define their own Tags.

I would also like a Tweet to reference one or more of the user’s own Tags. The Tag(name, color) object can change over time (the “name” can be renamed for example) so I don’t think I want to copy it into a Tweet.

Do you have an example…

One of the most common questions I get is “How do I build a multi-tenant application with AppSync and Cognito?”.

If you google this topic on the internet you will no doubt come across many different opinions. It’s a topic that we’ll soon explore in the AppSync Masterclass but I want to take this opportunity to explain my thoughts on it.

You see, a common requirement in these multi-tenant applications is to support roles within each tenant. These are usually well-defined roles in your application and a user would fall into one of these roles within his/her tenant.

So you…

In light of recent news of Okta’s pending acquisition of Auth0 there’s been renewed discussion about where Amazon Cognito fits into the picture. It’s a question my clients often ask me, so here are my two cents.

The case for Cognito

Integration with other AWS services

Cognito’s tight integration with other AWS services such as API Gateway, AppSync and ALB is by far its greatest strength.

It removes a whole layer of custom code you’d have to write otherwise.

For example, if you decide to use Auth0 and skip Cognito altogether (I will talk about SAML federation in a minute) then you will need to write a Lambda authorizer…

When you start a new Vue.js project that needs to interface with APIs running in AWS, there’s a good chance you will have these lines of code:

import Amplify from 'aws-amplify'Amplify.configure({
Auth: {
region: 'us-east-1',
userPoolId: 'xxx',
userPoolWebClientId: 'xxx',
mandatorySignIn: true

These few lines of code let you use the aws-amplify library to authenticate the user against a Cognito User Pool and support common flows such as sign-up, sign-in, sign-out, forgotten passwords and change passwords.

But, as you provide your Vue.js …

All the sessions during week 1 are available to watch on-demand now. You can access them via the official reinvent portal here.

Here are my top picks for sessions to watch, in no particular order.

“Building technology standards at Amazon scale” by Marc Brooker
You can watch the session here, and here‘s my notes for the session.

“Monitoring production services at Amazon” by David Yanacek
You can watch the session here, and here‘s my notes for the session.

“Automating continuous delivery pipelines at Amazon” by Clare Liguori
You can watch the session here, and here‘s my notes for the session.

Yan Cui

AWS Serverless Hero. Independent Consultant Author of Speaker. Trainer. Blogger.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store