0% found this document useful (0 votes)
126 views23 pages

Building A Multi Tenant SaaS Solution

The document discusses building a Software-as-a-Service (SaaS) solution on AWS using serverless architecture. It covers key aspects of SaaS and serverless including application plane deployment models, the serverless reference architecture, AWS services used, tiered deployment models and the baseline architecture.

Uploaded by

joxihol941
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
126 views23 pages

Building A Multi Tenant SaaS Solution

The document discusses building a Software-as-a-Service (SaaS) solution on AWS using serverless architecture. It covers key aspects of SaaS and serverless including application plane deployment models, the serverless reference architecture, AWS services used, tiered deployment models and the baseline architecture.

Uploaded by

joxihol941
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Building a SaaS

solution on AWS
using Serverless
Anubhav Sharma
Principal Solutions Architect
AWS SaaS Factory

© 2022, Amazon Web


© 2022,
Services,
Amazon
Inc. or
Webits Services,
affiliates.Inc.
All or
rights
its affiliates.
reserved.All
Amazon
rights Confidential
reserved. Amazon
and Trademark.
Confidential and Trademark.
Software-as-a-Service (SaaS) is a
business and software delivery model
that enables organizations to offer
their solution in a low-friction,
service-centric approach.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 2
There are many advantages to a customer-centric
approach, but here’s the big one: Customers are
always beautifully, wonderfully dissatisfied, even
when they report being happy and business is great.
Even when they don’t yet know it, customers want
something better, and your desire to delight
customers will drive you to invent on their behalf.

Jeff Bezos
Founder and Executive Chair, Amazon.com, Inc.
2016 letter to shareholders

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
What it means to be SaaS
Application plane Control plane

Web tier Admin console

Onboarding Provisioning
Multi-tenant Multi-tenant
microservice microservice

Identity Tenant

Metrics Admin user


Multi-tenant Multi-tenant
microservice microservice

Billing Tenant user

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Application plane deployment models

Tenant 1 Tenant 2 Tenant 1 Tenant 2

Service Service Service Service Service Service

Service Service Service Service Service Service

Dedicated resources for each tenant Shared resources for all tenants
(silo model) (pool model)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Serverless SaaS reference
architecture

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Services & Features Used
• AWS Serverless Application Model (SAM)
• AWS Cloud Development Kit (CDK)
• Amazon API Gateway
§ REST APIs
§ Lambda Authorizer
§ Usage plans & API keys

• Amazon Cognito
§ User Pools

• AWS Lambda
§ Fine-grained access control (AWS STS)
§ Lambda Layers

• Code Pipeline
§ Canary deployments

• Amazon DynamoDB

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tiered based deployment model

Application plane Control plane


Basic & Standard tier Platinum tier Platinum tier Registration
Pooled services Siloed services Siloed services

Microservice Microservice Microservice


Tenant management

User management

Tenant provisioning
Tenant 3..N Tenant 1 Tenant 2

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Baseline Architecture
Web application

Landing/sign- Sample SaaS SaaS provider


up application application admin console
SaaS
Tenant Amazon Cognito provider

Amazon API Gateway


Lambda API Keys &
Authorizer Usage Plans

Application services Shared services Layers

Pooled services Registration Tenant management


Auth Manager
Order Product

Tenant provisioning User management Metrics Manager

Log Manager

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Registering new tenants

Landing/sign- User management • Create user pool (silo)


up application • Create user pool group (pool)
Tenant • Create tenant admin user
2

1 Registration 3 Tenant management


• Create tenant
• Store tenant configuration

• Provision tenant
• Configure tenant settings
(silo/pool) 4
Tenant Provisioning
• Create stack for siloed
SaaS Admin
tenants
Console
Administrator

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant registration

Create user Create tenant

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Authentication and authorization
Cognito Hosted UI

{
1 2
JWT
tenantId: “abc”
userRole: “Admin” Evaluate usage based
} upon API key

GET

Sample SaaS 3 4
Authorizer
5
policy
Tenant commerce
JWT
application Authorizer POST
Lambda
Allow/disallow routes functions

API Gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Routes based on user roles

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant isolation: Silo model

JWT
Tenant
API Gateway Lambda function Order_Tenant1

Lambda execution role


{
"Sid": ”Tenant1Role",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
],
Authorizer "Resource": [
”arn:aws:dynamodb:us-east-1:xxx:table/Tenant1-Order"
]
}

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Dynamic policy
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/Product-*".format(region, aws_account_id),
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"{0}-*".format(tenant_id)
]
}
}
}

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Code snippet: STS credentials

#get IAM policy


iam_policy = getPolicyForUser(user_role, tenant_id)

#use STS client to generate the credentials


assumed_role = sts_client.assume_role(
RoleArn=role_arn,
RoleSessionName="tenant-aware-session",
Policy=iam_policy,
)
credentials = assumed_role["Credentials"]

#pass sts credentials to lambda


context = {
'accesskey': credentials['AccessKeyId'], # $context.authorizer.key -> value
'secretkey' : credentials['SecretAccessKey’],
'sessiontoken' : credentials["SessionToken"],
}

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Authorizer output

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant isolation: Pooled model

Tenant Id, user role,


access key, secret key

Tenant JWT Scoped access using short-lived credentials


Pooled DynamoDB
API Gateway Lambda functions (basic, standard,
{tenantId: 1}
premium)
dynamodb = boto3.resource('dynamodb’,
aws_access_key_id=accesskey,
aws_secret_access_key=secretkey,
aws_session_token=sessiontoken
)
Authorizer

Runtime-acquired
tenant scope

IAM
AWS STS

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Pool-based partition with DynamoDB

• Tenant data in the same table


• TenantID used as ShardID
• Isolation policies applied by
ShardID

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Multi-tier, multi-account, multi-region CI/CD
Deployment
pipelines

Pooled
Build pipeline

Prod

Source Build Artifacts Test Start Deployments


(S3)
Tenant 1

Prod

tenantId stackName accountId region status commitId


Tenant 2
pooled pooled 1234569890 us-east-1 deploying ddddd
Tenant1 tenant1 5678901245 us-west-2 deployed eeeeee
Tenant2 tenant2 1111112222 us-east1 deployed eeeeee
Prod

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant routing
Pooled

Hosted UI redirect
3
Sample SaaS application
1 Platinum 1
Login à Tenant Name JWT token
Tenant 1 4
Platinum 2
5
JWT token 2
Tenant identity
settings
Pooled Platinum 1 Platinum 2

Tenant
management

Product Product Product • Tenant name → tenantName


• User pool mapping
• API Gateway URL

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Final View of Architecture
Source Sign-up SaaS Admin
application application console
Tenant Amazon Cognito Tenant SaaS provider

Build

Deploy API keys/


usage plans Amazon API Gateway Lambda authorizer AWS STS Amazon CloudFront S3

Application services Shared services


Pooled Tenant 1 Tenant 2 Layers
Tenant Tenant
registration management
Order Product Order Product Order Product

Logging &
metrics
Tenant User
provisioning management

Auth

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Serverless SaaS reference links
• https://catalog.us-east-1.prod.workshops.aws/workshops/b0c6ad36-0a4b-45d8-856b-
8a64f0ac76bb/en-US
• https://github.com/aws-samples/aws-serverless-saas-workshop
• https://aws.amazon.com/blogs/apn/building-a-multi-tenant-saas-solution-using-aws-
serverless-services/
• https://github.com/aws-samples/aws-saas-factory-ref-solution-serverless-saas
• https://aws.amazon.com/blogs/devops/parallel-and-dynamic-saas-deployments-with-cdk-
pipelines/

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.

You might also like