As shown above one of my lambda function HelloCloudGurus which trigger by API gateway and it can be triggered by the API link as below:
https://APIServiceID.execute-api.ap-southeast-1.amazonaws.com/prod/HelloCloudGurus
When I click on the link it shows that I can still access the link despite the Authorization has been set to AWS_IAM?
How to configure it so that it will validate signature on request and return me something like below?
{"message":"Missing Authentication Token"}
Please use Cognito. You can still acheive it by API Gateway Custom Authorizer but Cognito is the right candidate for security. Have a read on below AWS documentation for custom authorizer,
http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
Related
The scenario is :
I have a Rest api gateway which when triggered invokes a lambda which processes the request and returns the repsonse.
This api endpoint is public.
I have another lambda which will call this API gateway/endpoint and obtain response from it.
Now the queries :
I am directly calling the invoke url of api just like any other api. So is this the right way to do so?
When I put the invoke url in browser address bar, it is giving missing authentication token.
How to actually call the url in calling lambda, i mean how to pass tokens; in Node.js ?
Thanks 😊
Well, the questions are quite wide enough. I'm trying to answer as much as possible.
First, the design you are following of Rest API -> Lambda, it is called 'Integration Type' is 'Lambda function' and use 'Use Lambda Proxy integration'.
Please take a look on the documentation here and an example here
Go through the document I believe you will understand in-out of this model. At high level, this model API Gateway is passing through request and response and you (Lambda) will handle everything.
Question 1:
I am directly calling the invoke url of api just like any other api. So is this the right way to do so?
[Answer] There is nothing wrong with this model. And yes, you can call this API (Lambda proxy) as any Rest API.
Question 2:
When I put the invoke url in browser address bar, it is giving missing authentication token
[Answer] Please check the setting of your API. As the below screen-shot, my api is using Cognito as Authorizer. It means consumers need to provide 'Token' (oAuth2 for example) when calling the API. You can use either Lambda authorizer or Cognito authroizer. It's up to you.
And if you are not requiring any authorizer, you can set it as NONE so there is no authentication token require for your API.
In short, the message you are getting now it means your API is having an 'Authorizer' and you are not sending token along with request.
Question 3:
How to actually call the url in calling lambda, i mean how to pass tokens; in Node.js ?
It is pretty common. You can google it like 'oAuth2 in Node.js', it will give you tons of examples
https://resources.infosecinstitute.com/securing-web-apis-part-ii-creating-an-api-authenticated-with-oauth-2-in-node-js/
https://stormpath.com/blog/talking-to-oauth2-services-with-nodejs
I hope it helps. Otherwise, leave your comments and questions.
Thanks,
I have have integrated a OAuth 2.0 Resource Server in my spring boot application using JWT and issuer URL as describe here: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver I am integrating against AWS Cognito service and everything is working, however I am missing the information I want.
I am currently receiving the Access Token from the React front-end which does not contain any custom attributes for the user, only groups. As stated by the documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
Is there a way to get the custom attributes through the use of an access token, through a callback or something to Cognito?
Alternatively I could receive the ID token directly however after browsing around this does not seem like the best practice? I am pretty new to implementing OAuth 2.0 so I am not sure about all the pros and cons.
The /oauth2/userInfo endpoint will provide you information about the authenticated user.
https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html
I am brand new to AWS API Gateway/AWS Lambda/AWS Amplify. I have a React Native application that I am trying to use AWS Amplify to make an API call and issue a PUT request, which would then cause the API Gateway to invoke my AWS Lambda function. When I create the AWS Amplify API endpoint, I don't see a command line option to define a PUT method. The default is "Any", which works, but I would like to specify a PUT method specifically. When I add in a PUT method manually on the API Gateway website and then call it from my React Native front end, I get...
Error: Request failed with status code 500
Looking at the API Gateway responses, this is due to either an "Authorizer Configuration Error" or an "Authorizer Failure", so I am assuming the problem is not with my front end code but with the configuration of "authorizers" on the API Gateway. What are authorizers? How do they relate to making an API call? And what steps can I take to troubleshoot what the problem might be?
You can use a lambda, a Cognito User Pool or an IaM role as an Authorizer. The short version is that your API endpoints can either be open and public or have an Authorizer, if they have an authorizer then they have to be setup correctly. It is set through the API Gateway config for an endpoint in the Method Request section.
AWS Lambda authorizer info:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
AWS Cognito Info:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
I have created an api gateway with AWS_IAM authentication. I need to access that api gateway so created one user with giving AmazonAPIGatewayInvokeFullAccess policy to that user.
but i am not able to call that api. Getting error as
"user arn:aws:iam::######:user/username is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:region:####:#####/stage/method/path"
Where as when i go to aws console and try to simulate that policy it is allowing me to invoke that api.
I tried https://www.youtube.com/watch?v=KXyATZctkmQ . But its not working. Please let me know if anyone has gone through it and tried something to solve this before. Thanks
I'm trying to test the Lambda functions that I have created and which sit behind a Cognito login.
My Lambda functions require that cognitoIdentityId is set in order to identitfy the user.
I've been following the Use Postman to Call a REST API tutorial in the Amazon docs. However, this tutorial only shows how to authenticate with IAM credentials and not Cognito User Credentials which means that cognitoIdentityId is set to null.
How does one go about integrating a Cognito User login with Postman?
You should be able to see it with:
console.log(event.requestContext.identity.cognitoIdentityId);