Building a BaaS platform on AWS

For this particular Tutorial, we will choose to use AWS to build our backed service. Amazon has lately released a JavaScript-based SDK called the AWS JS SDK that allows us to connect and work with the various AWS services using plain, simple JavaScript.

You can read more about the JS SDK and download it from

We will be making use of the following AWS services to build our backend:

    • DynamoDB: This is Amazon’s fully managed and highly scalable NoSQL database.
    • Simple Storage Service (S3): This is used to store images, CSS, and other types of static files. You will remember using this S3 service in Tutorial 8, Scalable Architecture for Deployments on AWS.
    • AWS Identity and Access Management (IAM): This is a core service that allows us to create user groups, roles, and define access rights to the various AWS services for the created roles.
    • AWS Security Token Service (STS): The security token service goes hand in hand with the IAM service. As the name suggests, this services provides temporary, limited privilege credentials to the IAM or Federated Users user.
    • Web Identity Federation (WIF): This is a new feature within the STS. It allows us to use authenticated access tokens from third-party identity providers such as Facebook, Google, or Amazon to allow access to the AWS services.

Setting up an S3 Bucket with public read access

In the previous Tutorial, we saw how to create an S3 bucket on AWS and upload files using their online dashboard. We also saw how to give it public read access so that they would be visible to everybody on the Internet.

In our case, as the images are going to be uploaded via the end users, we will need to set bucket level policies so that all the uploaded images automatically become public.

Let’s now see how to go about doing it:

  1. First, log in to the AWS Management Console at Navigate to the S3 service and create a bucket name. I’m calling mine garage-commerce. Preferably select us-east-1 as a region so as to easily follow the steps in this Tutorial.
  2. Go to the Properties panel and select Permissions Accordion, click on the Add bucket policy button, and add the following bucket policy in the pop up that comes up:
       "Version": "2008-10-17",
       "Statement": [
                    "Sid": "AllowPublicRead",
                    "Effect": "Allow",
                    "Principal": {
                          "AWS": "*"
                    "Action": "s3:GetObject",
                    "Resource": "arn:aws:s3:::garage-commerce/*"


    Make sure that you replace the garage-commerce word in the last line with the name of your bucket.

  3. Save the policy and close it.

Setting up the CORS policy on your S3 bucket

Cross-origin resource sharing (CORS) is a way to allow applications hosted on one domain to interact with resources on another domain.

By default, AWS allows only GET methods for all domains, as we need to be able to read and write to the S3 bucket form our localhost application, we need to add a custom CORS rule.

To add the custom rule, click on the Add CORS configuration button within the permissions accordion, and add the following CORS policy to allow localhost to write to S3:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="">

Creating our DynamoDB tables

Next, we will create our DynamoDB table. So, from the Management Console or the Services drop-down link, head to the DynamoDB service and follow these steps. For the sake of consistency, select the US East (N. Virginia) region:

  1. Click on the Create Table button and call it garage-commerce. Set the Primary Key type to Hash, and set the Hash Attribute Name as product_id, as shown in the following screenshot. Then, click on the Continue button:
    Creating our DynamoDB tables
  2. We will leave the Add Indexes screen as it is and continue to the next step.
  3. On the Provisioned Throughput Capacity Section, we will set the following:
    • Read Capacity Units: 10
    • Write Capacity Units: 5


    The capacity unit defines the number of requests that come in every second. The values 10 for read and 5 for write are the limits of the free tier and are sufficient during the development phase. During production, this value can be throttled up as required.

  4. On the next Throughput Alarm Option, you can choose to give an e-mail address to receive notifications or leave it blank.
  5. Review the details on the next Summary Page and click on the Create Button.

Your table should now be visible in the DynamoDB control panel.

Creating the Identity and Access Management (IAM) role

Let’s now head over to the IAM link from the AWS management console or the services link:

  1. In IAM, go to the Roles section from the navigation screen on the left-hand side, and create a new role.
  2. Create a user called garageCommerceUser.
  3. On the Configure Role screen, select the Role for Identity Provider Access radio button.
  4. Select the Grant access to web identity providers button.
  5. On the next screen, select Facebook as the Identity Provider, and enter the application ID of the Facebook app you created on Facebook.
  6. On the next Establish Trust screen, review the default policy created by AWS and click on Continue.
  7. On the next Set Permissions screen, select the No Permissions radio button and create the rule.
  8. Once the User shows up in the list of User Roles, select garageCommerceUser. On the Permissions tab, click on the Attach role policy button and select Power User Access, as shown in the following screenshot:
    Creating the Identity and Access Management (IAM) role

This should allow our user role to have the necessary permissions to interact with the S3 and DynamoDB services.