Amazon Lambda – Part 4 – Secured with an API Key and IAM User

After discovering how easy it was to integrate the API Key, I thought this would not be complicated.  However, that was not the case and I had to jump over a couple of hurdles.  Ultimately, I found 99% of my answers in the Amazon documentation.  They really keep their documentation site(s) up to date from what I can see 🙂

The high-level process is as follows:

  • Select ‘AWS_IAM’ from the Authorization drop down

Step1

  • Deploy (or redeploy) the API

Deploy

  • Once this is set up and deployed (funny how often I forget this step :)), the API Key only option no longer works (as expected)

ThisShouldBeWorking

  • Create a policy (see reference #1)
    • Mine looks like this
      {
      “Version”:”2012-10-17″,
      “Statement”:[
      {
      “Effect”:”Allow”,
      “Action”:[
      “execute-api:Invoke”
      ],
      “Resource”:[
      “arn:aws:execute-api:us-west-2::/restapis/<resouce id>/*”
      ]
      }
      ]
      }

NOTE:  Version failed when updated to today’s data which is what I originally put in.  It has to be “Version”: “2012-10-17” (see reference #7)

  • Create user

Step2.9

  • Apply Policy to user

Step3

NOTE: There is a ‘Simulate Policy’ option that I found useful.  By clicking here, you can simulate this policy against any of the existing resources (as far as I could see) from this test.

  • Make your call
    • Set up the headers – This is a little complicated, but this is also one of the reasons I love Postman.  I am not sure when it was added, but there is a AWS option under Authorization.  I added my ‘stuff’ to it and it started working.  I took the header values created by Postman and replicated it in another REST client called Advanced Rest Client (see reference #8) that works pretty well.

Step4

  •  Post Man Results

Postman

 

  • Advanced Rest Client

AdvancedRest

Issues:

  • Part of this was rethinking how I viewed authorization.  In the past, if my user was authenticated, I would then allow them access to whatever they were allowed access too.  This was determined by what roles and/or groups w/roles the user was part of.  Creating a ‘policy’ and applying it directly to the user is an little unorthodox to me…or at least, it was not how I had been taught to do authorization.  Especially since IAM has groups and roles.  Historically, roles have responsibilities that are applied to groups.  If you want a user to have access to them, you add them to that group.  Just something different 🙂
  • Figuring out the headers with Postman’s AWS option is still black box to me and I will need to figure this out for the next step in this blog series.  I am assuming it is something similar to how Azure calculates some of its access signatures (see reference # 9).

Next on the Amazon Lambda blog series will be an application that implements basic Create Read Update Delete (CRUD) operations for the satellite table.  I am also thinking about moving the TGIMBA site to use the Amazon Dynamo DB back end with an API managed by the gateway.  Overall, the Amazon cloud seems very resilient and dependable.

Stay tuned!

References

1) http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html#d0e27929
2) http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
3) http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-method-settings-callers-console.html
4) http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-step-by-step.html
5) http://blogs.aws.amazon.com/security/post/Tx1R9KDN9ISZ0HF/Where-s-my-secret-access-key
6) https://aws.amazon.com/blogs/aws/amazon-api-gateway-build-and-run-scalable-application-backends/
7) https://blogs.aws.amazon.com/security/post/Tx1LYOT2FQML4UG/Back-to-School-Understanding-the-IAM-Policy-Grammar
8) https://github.com/jarrodek/ChromeRestClient
9) https://blog.tallan.com/2016/01/13/how-to-generate-a-sas-token-for-an-azure-service-bus-queue-using-c/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s