I am building and testing Lambda functions on my local pc. The Lambda's are exposed through SAM using the "sam local start-api" command and called through Javascript.
I have now set up a user pool on AWS Cognito (in the cloud). My app is correctly authenticating against the user pool. However, I would like now to pass user information to my Lambdas when I invoke them on my local pc. What I want to achieve is:
My JS web app sends a request with authorization header to my locally hosted Lambdas.
My Lambda accesses the claims through $context.authorizer.claims
And most importantely: The Lambda code should not be specific to my dev environment. I should be able to deploy my Lambdas to the cloud without changing the code.
Question: Is it possible to provide/inject the user claims into the context of a Lambda request on my local dev environment?
Related
I am trying to invoke an aws lambda from an azure function using boto3. I have everything working using my two personal accounts. I created an aws configuration file using my personal account details. Now I have moved both the azure function and aws lambda to my work dev environments. My work does not want me to use aws credential ("access_key_id" and "secret_access_key"). Is there a way around this? A way to tell boto3 don't use the credentials in aws config file, instead use this role??
client = boto3.client('lambda')
response = client.invoke(
FunctionName='arn:aws:lambda:us-##-#:##############:function:azure-to-s3',
InvocationType='Event',
Payload=json.dumps({
'file_name': filename,
'file_bytes': base64.b85encode(rawfile).decode('utf-8'),
}),
)
Assuming you have access to your work's AWS account via the console, you can give any account permission to invoke a Lambda.
Via the console:
Browse to the specified Lambda
Configuration -> Permissions
Click 'Add permission' under the 'Resource-based policy'-section
The equivalent boto3-function would be add_permission().
After that, you can invoke the Lambda from the Azure account as you would normally, but using your own credentials.
Credentials can be set in one of three ways:
setting the credentials in ~/.aws/credentials, if you're on a VM
setting the credentials as environment variables:
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-west-2
setting the credentials as parameters when using boto3:
boto3.client("lambda", region_name="us-west-2", aws_access_key_id="ak", aws_secret_access_key="sk")
I have an API that is currently secured by Identity server 3.
We are moving to AWS Cognito to login.
When a user signs up, I need to call our current API to make sure their username is in our database. How do I do this with a lambda function?
And how can I secure our API (which is hosted on our server), with the Cognito auth?
You can use pre-sign up lambda trigger on Cognito for check db.
My current stack is like this:
User creates an account via AWS Cognito
A post confirmation lambda is triggered which then adds further user details to a database
My database uses the sub id generated by cognito as the userId so they are the same. I also copy the email address as the Username in my database. My intention is to use Cognito for Authentication and my own database for the functionality of my app.
However if the user wishes to update their email address I need to amend this in both cognito and my database. My first attempt made a call to cognito in my lambda using admin_update_user_attributes but soon realised it was blocked from making external calls to the internet, so i created a nat gateway which worked but it simply costs way too much!
My second idea was to go through cognito, having my front end make the call and then have cognito trigger a lambda to update my database but I don't think this is possible.
Is there a configuration or something I'm missing to be able to access AWS cognito via a lambda through the API gateway as they are both AWS services.
I dont want to make two seperate calls via my frontend as this creates a risk of one being completed but not the other.
Thanks
A NAT gateway will be needed if you have your Lambda function in a VPC as there are no Cognito VPC endpoints at this time.
List of currently supported AWS services with endpoints.
If you are using a DB like Dynamo, the Lambda function does not need to be in a VPC so you could achieve the usecase you mentioned above.
Another option could be to do the Cognito update asynchronously, so your Lambda could potentially use VPC endpoints to put an object in SQS and then have a Lambda poller (outside VPC) to poll the messages and update Cognito. Or achieve a similar usecase by making use of private API Gateways.
These are just potential ideas which I have not done myself.
I have a dev and prod cognito pool, a dev/prod lambda function that pushes to a dev/prod dynamoDb table.
Is there a simple way to have it know when to use the prod credentials (pool id, etc), and when to use the dev credentials?
And same to do with firing the appropriate dev/prod API gateway apis that check the appropriate pools for authentication, and post to the appropriate dynamoDb tables? For now I just manually change the tokens, and in API Gateway, I manually switch out which cognito pool the API gateway authenticates and which tables they post to, which isn't very practical.
If you expose your lambda with API Gateway then just deploy it to two stages - a prod stage which calls the prod lambda which accesses prod Dynamodb & a dev stage which calls dev lambda. In your application, you would just need to change the stage name & you can do so by setting it from Info.plist.
Regarding how to get tokens for prod or dev automatically, it depends on how you get these tokens. For example, you could create a /login resource in API Gateway which takes username + password as parameters and returns tokens. Again, deploy it to two stages which use different Cognito pool in the backend calls. Now, you can use the same variable/property in your application to get the stage name for getting tokens too.
So, by just changing the value of one property you can switch between prod & dev in your app.
I am working in IVR team. I write SOAP web services, write java client to access those web services and set data in the session variables of the CISCO API and IVR can then able to access that data. I am very good at this.
Currently, my manager plans to move from CISCO IVR to Amazon Connect. Amazon Connect has all infrastructure and IVR can be set up in 45 minutes.
My task is to access existing legacy SOAP web services(which has access to our databases) in AWS Lambda and give that data to IVR.
I went through all the documentation, but not able to figure out where to start. Could some one give me guidance on where to start.
Here's an article about calling SOAP services from a Lambda function, with a walkthrough of the process: https://blog.codecentric.de/en/2016/12/serverless-soap-legacy-api-integration-java-aws-lambda-aws-api-gateway/
It goes further than what you may need, adding API gateway on top of the Lambda function. You may not need that if you're just planning to call those Lambda functions from Connect.
There's also an article in Connect documentation on integrating with Lambda: http://docs.aws.amazon.com/connect/latest/adminguide/connect-lambda-functions.html