I am using a Lambda Edge triggered by viewer-request to control access to a Cloudfront Distribution Origin (S3 Bucket). I want to allow/deny access to the distribution by sending an IdToken and a UID (user ID) string.
My code basically decodes the IdToken and reads a decodedUID inside it, then compares it to the UID passed as a header and if they match or not it allows/deny access to the Origin
I am using SAM to deploy all of this, when I test this code locally it works as it should but when I deploy the changes to AWS one of the two headers is not being received by the lambda
I am sending two headers with each request to the Cloudfront Distribution
Authorization
UID
But the UID Header is never reaching the lambda edge in the event
I am using Nodejs14.x as runtime, when I run console.log(request.headers) I see the Authorization header with the token but not the UID
Does someone know why is this happening and how can I fix it?
I managed to send the UID value as a query parameter but that solution is not fitting to what I need
Related
I have node/express APIs running in Lambda function.
The API endpoint is {domain}/api/user/{username} where I pass username in URL itself.
example: to get userA detail, endpoint will be xxx.com/api/user/userA
also sending user_id:xxx in header.
Hitting above endpoint using API gateway/Lambda returns the data without any error.
Problem occurs when I use % in username.
Assume I have username as userA% .
Endpoint would become: xxx.com/api/user/userA%
Now, the problem is when I run this in my local machine with node/express/mysql api with endpoint localhost:2000/api/user/userA%, it returns the data.
But the same API using API gateway/Lambda : xxx.com/api/user/userA% throws
CORS: PreflightMissionAllowOriginHeader.
I have configured some CORS policies as shown in below image but can't seem to figure out what should I configure more to allow this type of requests.
I'm able to update/create the function key using the API as per document.
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-function-secret
My main aim is to update the function key every hour so I'm creating a http trigger (with the above api inside it) and scheduling the trigger.
For testing purpose I stored the url in one parameter.
URL:
'https://management.azure.com/subscriptions/xyz1/resourceGroups/xyz2/providers/Microsoft.Web/sites/func_appname/functions/func_name/keys/poc_testing1?api-version=2021-02-01{"Properties":{"Name": "poc_testing1","Value": "asdsda"}}'
Note: Value here is updating via random gen lib of python
Generated a bearer token using the service principal (which I'm already using to connect my stg acc) storing it in auth_token
header_auth= {'Authorization' : 'Bearer ' + auth_token }
Now running the below command in python
import requests
requests.post(url, headers=header_auth)
I'm getting 403 forbidden error
I'm thinking that it is not because of the bearer token, Did google the error and it is with the IP address. Can someone help me out here
I was referring the (https://learn.microsoft.com/en-us/troubleshoot/azure/general/request-throttling-http-403) doc but I'm not using any APIM service
Till now I referred the doc from MSFT.
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-function-secret
I was able to create new function key.
I'm trying to do the same using python for which I performed the above steps.
Currently ran the above issue steps in my local Visual studio and tried az cli as well but same 403 error.
Why do you want to update the function key every hour?
If you aim to increased security use AzureAD Auth/OAuth2 rather than the function key.
Regarding the 403 error, please ensure you have assigned proper permissions to the service principal which allow the service principal to modify the azure function.
I am trying to create rest request using Call Multipart form data REST API service in REST API toolkit. It requires apiURL, HTTPHEADER, PARAMETERtoPOST, httpMethod (using GET). I defined all the parameters(client id, client secret, response type (code), scope and response mode (query)) and httpheader - > Content -Type is application/x-www-form-urlencoded.
But in the response message I dont get the authcode even though when I create whole URL directly including parameters , I get the authcode but without Redirect URI. If I include redirect uri, it shows me that URI is not configured even though system admin for that showed me its configured.
So am I missing any parameters or anything else?
aws structure picture
JWT authorization (verify) is in progress in AWS Lambda.
I want to put the decoded data into the client request headers.
Becuase, I don't want to decode the token again at the 'service' and use it.
How to custom the client request?
AWS lambda 'event.headers' is undefined. so, 'event.headers.user' is not possible.
Is there any other good way?
You don't adjust the request you need to adjust the event that is being send to the lambda from the authoriz.
You can use the context of the authorizer.
The context can be accessed in the lambda that is handling the request.
context.authorizer.property
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html
I have created one API endpoint for lambda function, as - https://XXXXXXXXX.execute-api.us-east-1.amazonaws.com/XXXX/XXXXXXXXXXXX/ which is GET method.
While calling that endpoint from postman it is giving me
{
"message": "'XXXXXXXXX3LPDGPBF33Q:XXXXXXXXXXBLh219REWwTsNMyyyfbucW8MuM7' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS XXXXXXXXX3LPDGPBF33Q:XXXXXXXXXXBLh219REWwTsNMyyyfbucW8MuM7'."
}
This is a screenshot of the Amazon Lambda Upload Site: http://i.stack.imgur.com/mwJ3w.png
I have Access Key Id & Secret Access Key for IAM user. I used it all but no luck. Can anyone suggest tweak about this.
If you're using the latest version of Postman, you can generate the SigV4 signature automatically. The region should correspond to your API region (i.e. "us-east-1") and the service name should be "execute-api"
This is not a solution but it has helped me more than once:
Double-check that you are actually hitting an existing endpoint! Especially if you're working with AWS. AWS will return this error if you don't have the correct handler set up in your Lambda or if your API Gateway is not configured to serve this resource/verb/etc.