I'm new to AWS and I need help.
I have some endpoints (GET - POST /endpoint) that are exposed by AWS and my client documented for me.
To call any endpoint I need to authenticate with IAM (my client gave me the secret_key and the access_key).
I guess with those 2 keys I need to obtain an access token that I need to pass as header authorization to the request.
I'm using node.js. How can I obtain the access token so that I can make the request (I guess with some library like axios)?
Thanks for all the help
You could potentially use the AnomalyInnovations/sigV4Client and the related blog post:
A standalone client for signing API Gateway requests for Signature Version 4.
Related
I am new to api gateway development and trying to integrate lambda authorizer to secure the api gateway. I already gone through different documents as mentioned below, but still didn't understand how client have bearer token generated already in the request and how lambda-authorizer validate this token?
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/blob/master/blueprints/python/api-gateway-authorizer-python.py
so far i have created the lambda-authorizer with below code found in the github and have attached the key from the autho account. Then i have attached the authorizer in the api gateway and enabled the same in the 'Method Request'.
After i deployed, i invoked the api via postman, which return: "message": "Unauthorized'
https://github.com/serverless/examples/blob/master/aws-python-auth0-custom-authorizers-api/lambda_handlers.py
Now i confused on what needs to be provided in the request in order to get the response from the Lambda?
Appreciate if anybody can help on this with proper example in order to integrate and test it?
Thanks
Implement JWT Token approach.You will need an authentication provider that will return you the token. Example of authentication provider is Auth0 or you can roll out your own.
The flow would be:
Your client will perform user authentication with this provider. The provider will return the token to your client. The client need to pass the token via Authorization header in your request payload to API Gateway.
API Gateway will call Lambda Authorizer to authorize / validate the token. The Lambda Authorizer code must verify the token with the authentication provider and once authorized will return a policy that allows the API call to be made.
I am trying to learn robot framework and I am trying to connect my https API using BASIC authentication. Can anyone help me to start with initial setup ?
Attached is the screenshot how Iam currently connecting the REST API.
An example I found on GITHUB looked promising but no idea how to use it in my case. https://github.com/jjwong/RESTinstance_starter_project/blob/master/tests/test_basic_authentication.robot
You might need to add your username and password in headers of your request like
Authorization Basic username:password
Note you need to encode it with base64.
In case of Token based authentication
Authorization Bearer ${jwt_token}
According to my use case,
I want expose a REST api(auth micro-service) that allows users to signup, sign in and do basic auth operations. So basically when a client calls /auth/login endpoint with username, password server code should authenticate user against Cognito and send response back to client with JWT(access token). Rest api written in Node.js.
I have gone through various docs but I am only seeing examples of using the frontend/mobile SDKs to accomplish this. Is there a better way to accomplish this? or can use existing javascript SDK in Node.js to achieve this?
Thanks!
We have a simple setup: An authorization server based on OAuth 2.0, which currently only supports the client_credentials grant type. Then we have an API, the resource server, which is protected by requiring an access token from our OAuth server.
All use-cases for our API so far, have been pure machine-to-machine communcation, where it's simply our customers servers running batch jobs.
Today I had a meeting with a new customer. They have an SPA that seemingly does not have its own backend server. It uses AWS for authenticating, and seems to return a JWT, but from what I can tell, they make a lot of API calls directly to publicly available services, and then the logic is all performed in the SPA.
We ideally would've liked them to simply register a single OAuth client with us, so that when users make a request that needs one of our APIs, the request is first routed to their server, which performs the lookup, and then uses their client's credentials to contact our server. But they would prefer to not have to set up a backend. In this case I'm kind of at a loss for how we sensibly let them integrate with our system. They would prefer to send their user's JWT to our system, but I don't think they understand that we would need their key to verify the user's signature in that case, and we don't want to have to create new APIs simply for this purpose.
Would very much appreciate any advice on this issue - thanks very much in advance for any help.
We ideally would've liked them to simply register a single OAuth
client with us, so that when users make a request that needs one of
our APIs, the request is first routed to their server, which performs
the lookup, and then uses their client's credentials to contact our
server.
Your recommended approach is the right way of doing it with Client Credentials Grant.
They would prefer to send their user's JWT to our system, but I don't
think they understand that we would need their key to verify the
user's signature in that case, and we don't want to have to create new
APIs simply for this purpose.
If the previous approach doesn't work, I'm afraid that this is the only way of doing it. You will need to implement a Proxy to validate the JWT (You should be able to get their public key to verify the signature). You can do this in AWS itself, using AWS API Gateway + Lambda to verify the JWT to and forward the request to your existing backend with Client Credentials Grant where you don't need to pay anything upfront.
I have read this post and the AWS reply on
How do I use a Cognito token with API?
and this one how to use AWS cognito with custom authentication to create temporary s3 upload security token
I am not yet clear whether there is a simpler solution to securing S3 access.
I have a mobile client and a node.js backend. The client authenticates with the backend and receives a jwt accesstoken for further calls to my backend. In addition to communication with my own backend, users should be able to upload and download files to and from S3. I am looking for the simplest solution to make sure only users who have a valid accesstoken for my backend can upload to S3.
Can I do the following (this is based on this blog post http://blog.backspace.academy/2015/03/using-cognito-with-nodejs-part-2.html):
Client authenticates with my custom node.js backend and receives custom accesstoken from my backend
My node.js backend gets CognitoID AWS temp user credentials. However, the AWS documention says we also need a session token (presumably by calling CognitoSync), so I assume my backened needs to get the session token as well.
My node.js backend passes those temp credentials plus session token to client
Client uses them for calls to S3 with AWS SDK passing in the credentials + session token.
Am I missing something? Is there an easier way to do that? I assume there is no way to simply have the client pass my own custom node.js user accesstoken to AWS/S3/Cognito and have S3/Cognito authenticate the token by calling my own node.js API that could authenticate this token.
You've pretty much got it. You can get credentials from your backend and deliver the AWS credentials to the client. You will need the session key when using temporary credentials that will expire - and you definitely should use temporary credentials with mobile app clients.
If you want to authenticate the user with your own backend (using username/password with your backend) you can use Amazon Cognito's Developer Authenticated Identities feature. If your users will be authenticating with Facebook, you can just pass the Facebook access token to Amazon Cognito as described in the Facebook Integration topic.
Either way, the "standard" flow you'll see in AWS documentation is that you let Amazon Cognito deliver the AWS session credentials directly to the mobile app (rather than via your backend). When using Developer Authenticated Identities, the mobile app exchanges the OpenID Connect Token (retrieved from Cognito's GetOpenIdTokenForDeveloperIdentity call by your backend and delivered to the mobile app in the response to the authentication request) to call Cognito's GetCredentialsForIdentity. When using Facebook, you can just pass in the Facebook access token instead of the OpenID Token. Either way, by using this flow, you'll be able to use the "standard" Cognito to get AWS credentials to the app as shown for iOS, Android, JavaScript, Unity, and Xamarin in the Getting Credentials topic.
With that said, you can indeed get the AWS Credentials on behalf of the user from your backend and push them down to the client, but just keep in mind that all of the AWS Mobile SDK examples will assume you're using Cognito as shown in the Getting Credentials topic above, so you'll have to take that into account. If you want to see an example of routing credentials through your own backend, see the API Gateway Secure Pet Store sample (backend code, client code)
I wrote the NodeJS and Cordova Cognito tutorials from BackSpace Academy you are referencing. The tutorials were designed at the time to give much needed guidance on implementing Cognito. Notwithstanding this, Cognito is not always the most suitable solution (KISS principle).
I think you may be over complicating your solution:
You don't need Cognito to securely access S3 from Browser or Server.
A federated user (oauth/Facebook) can access S3 directly from
browser or through your NodeJS app.
If you don't need the Cognito key value data store then just use
a federated user on the browser side. Is a NodeJS server actually required?
If you can do everything from the client you don't need a NodeJs
server.
I would suggest you consider doing everything on the client side with a federated user. This is detailed in the AWS browser SDK docs under "Configuring Web Identity Federation in the Browser".
CAUTION! NEVER PUT YOUR AWS CREDENTIALS IN YOUR CODE, INCLUDING SERVER SIDE. Always use a federated user (oauth) on the browser side and on server side create an IAM role for your EC2 instance to connect to an S3 endpoint at your VPC. For some stupid reason the AWS S3 browser example hard codes credentials.