Version v0.5 of the documentation is no longer actively maintained. The site that you are currently viewing is an archived snapshot. For up-to-date documentation, see the latest version.

Authentication and TLS Support

Add TLS and authentication with your custom domain

This section shows the how to add TLS support and create a user pool to authenticate users with your custom domain in Amazon Web Services (AWS).

Traffic Flow

External Traffic → [ Ingress → Istio ingress gateway → ambassador ]

When you generate and apply kubernetes resources, an ingress is created to manage external traffic to Kubernetes services. The AWS Appliction Load Balancer(ALB) Ingress Controller will provision an Application Load balancer for that ingress. By default, TLS and authentication are not enabled at creation time.

The Kubeflow community plans to move from Ambassador to Istio to manage internal traffic (see this issue). Currently, Ambassador still plays the role of an API gateway. TLS, authentication, and authorization either can be done at the ALB or Istio layer for the AWS platform, and we plan to have Istio forward ingress traffic to the Istio gateway and then on to Ambassador when this happens. Once receive a clear direction from the community, we will enable TLS and authentication by default.

Enable TLS and Authentication

Right now, certificates for ALB public DNS names are not supported. Instead, you must prepare a custom domain. You can register your domain in Route53 or any domain provider such as

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

To get TLS support from the ALB Ingress Controller, you need to follow this tutorial to request a certificate in AWS Certificate Manager. After successful validation, you will get a certificate ARN to use with the ALB Ingress Controller.

Cognito Certificate ARN

AWS Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.

Cognito Application Client Setting

Cognito Domain Name

In order to authenticate and manage users for Kubeflow, let’s create a user pool. You can follow these instructions here. Once a user pool created, we will have a UserPoolId, a Cognito Domain name, and a Cognito Pool Arn.

Before you apply k8s, you can go into ${KUBEFLOW_SRC}/${KFAPP}/ks_app,

ks param set istio-ingress CognitoUserPoolArn arn:aws:cognito-idp:us-west-2:xxx:userpool/xxx
ks param set istio-ingress CognitoAppClientId xxxxxx
ks param set istio-ingress CognitoUserPoolDomain xxxx
ks param set istio-ingress enableCognito true
ks param set istio-ingress certArn arn:aws:acm:us-west-2:xxx:certificate/xxxe4031c

After you finish the TLS and Authentication configuration, then you can run ${KUBEFLOW_SRC}/${KFAPP}/scripts/ apply k8s.

After your ingress DNS is ready, you need to create a CNAME in your DNS records.

Custom Domain CNAME

Then you can visit, which is a custom domain we use in this case, it will redirect you to an authentication page. We added a user kubeflow-test-user in the Cognito setting and we can use this user for the login service.

Cognito Authentication pop-up

Kubeflow main page

Last modified 26.04.2019: Address review feedbacks (ee8e632)