In Kong is it possible to reuse the AWS Lambda plugin to carry out authentication.
I have followed this documentation https://docs.konghq.com/hub/kong-inc/aws-lambda/ for setting up the Lambda. I have a test AWS Lambda function that just returns the example response below.
{
"statusCode": 200,
"body": {
"response": "yes"
}
}
Currently Kong just returns the Lambda response but is there a way that it can be used for the authentication? For example when requests come into Kong an AWS Lambda is called to figure out if the user is authenticated or not. If they are authenticated the request continues, if not a 401 response is returned.
Related
I've been dealing with this for a while. I want to call an AWS_IAM authenticated Lambda Function URL sending an access token (generated by Cognito User pool) as the Authorization header.
I know I can send access token as a request header for API Gateway HTTP or REST API, but I'm not sure if it works for Lambda Functions too.
I couldn't find any documentation about my problem, just this other about Signature V4 authentication method to invoke Lambda Functions URL: https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html
The Security and auth model for Lambda function URLs has two AuthType options:
AWS_IAM – Lambda uses AWS IAM to authenticate and authorize requests based on the IAM principal's identity policy and the function's resource-based policy.
NONE – Lambda doesn't perform any authentication before invoking your function.
The Cognito JWT-based access token is not an AWS IAM session token, so cannot sign the request using SigV4. You have a different option for each of the Lambda function URL AuthType options.
To use AWS_IAM, you can use Amazon Cognito identity pools to deliver temporary, limited-privilege credentials which can SigV4 sign the request.
To use NONE, you will need to verify the JSON web token yourself, preferably with a software framework (such as AWS JWT Verify).
I am currently working on aws and have an apigateway with one get request. I then have a lambda which i call via the api gateway.
So when i now call the gateway passing the accesstoken as generated from iam when logging in it throws an error
{
"message": "Unauthorized"
}
I thought it might have been the gateway but it actually hits the lambda as i did console log in there. So not sure how else i can check what it can be.
I am using Lambda proxy integration.
Any tips?
Cheers
I am brand new to AWS API Gateway/AWS Lambda/AWS Amplify. I have a React Native application that I am trying to use AWS Amplify to make an API call and issue a PUT request, which would then cause the API Gateway to invoke my AWS Lambda function. When I create the AWS Amplify API endpoint, I don't see a command line option to define a PUT method. The default is "Any", which works, but I would like to specify a PUT method specifically. When I add in a PUT method manually on the API Gateway website and then call it from my React Native front end, I get...
Error: Request failed with status code 500
Looking at the API Gateway responses, this is due to either an "Authorizer Configuration Error" or an "Authorizer Failure", so I am assuming the problem is not with my front end code but with the configuration of "authorizers" on the API Gateway. What are authorizers? How do they relate to making an API call? And what steps can I take to troubleshoot what the problem might be?
You can use a lambda, a Cognito User Pool or an IaM role as an Authorizer. The short version is that your API endpoints can either be open and public or have an Authorizer, if they have an authorizer then they have to be setup correctly. It is set through the API Gateway config for an endpoint in the Method Request section.
AWS Lambda authorizer info:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
AWS Cognito Info:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
I have a web app.
The login process is done with cognito (AWS javascript SDK) in the client side.
This works fine. The user can register, login and edit his attributes in cognito.
I have a Lambda function.
The Lambda function is triggered via an API gateway.
The question:
What is the best practice for authenticating the calling user in Lambda?
What do I need to pass in my HTTP request? Is it the accessToken from the client?
You pass that in the header
Authorization: Bearer {yourtoken}
{yourtoken} is the idToken in AuthenticationResult when you request CognitoIdentityServiceProvider
If you want the caller in your lambda function you can pass it to your lambda function with $context.authorizer.claims.email in API Gateway request template
I am trying to test the Google Cloud Logging API on the "Try this API" feature that Google Cloud Platform has on their documentation, but I get this response back:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I know that my response body is correct because it works with OAuth 2.0 but fails when I use API Key.
Auth 2.0:
Working request using OAuth 2.0
API Key:
Non-Working request using API Key
Google docs says that they generate their own API Key for this "Try this API" feature. https://developers.google.com/explorer-help/
Since Google is using their own API Key, I do not understand why I am getting a response status of PERMISSION_DENIED.
Edit:
Here is a link to the Try this API feature in Google Cloud Platform if you would like to give it a try. https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/write?apix_params=%7B%22resource%22%3A%7B%22entries%22%3A%5B%7B%22logName%22%3A%22projects%2F%5BPROJECT_ID%5D%2Flogs%2Frequests%22%2C%22resource%22%3A%7B%22type%22%3A%22http_load_balancer%22%2C%22labels%22%3A%7B%7D%7D%7D%5D%7D%7D
Here is the python request that I am using in my code to create an entry:
import requests
entry = {
"entries": [
{
"logName": "projects/[PROJECT_ID]/logs/requests",
"resource": {
"type": "http_load_balancer",
"labels": {}
}
}
]
}
requests.post('https://logging.googleapis.com/v2/entries:write?key=[YOUR_API_KEY]', data=json.dumps(entry))
The API key was created from my user that has "logs writer", "logs viewer", and "logging admin" permissions. This theoretically should be all the permissions I need to make the post request. However, it is still returning a "PERMISSION_DENIED" status.
Any help would be much appreciated. Thank you in advance.
It looks like you are making a request to write data which isn't publicly writable. API Keys have no concept of user, they are only identifying you are allowed to call an API. So it looks like your API key request is working to the extent it can, but the response is telling you: I don't know who you are so I can't let you do this.
OAuth 2.0 is the solution here, as it acts on behalf of your account (you have to give consent), allowing the API to verify you have permission to take this action.
Service accounts are another option, to act on behalf of your project instead of your user, but they aren't practical from a web UI.