More introduction about api-gateway-secure-pet-store HOT 18 OPEN

Probably that's me being a newbie with AWS, but I'm unable to make it work. I've just wanted to try the server part to have an example where integrate IAM authentication with a REST API made with Amazon API Gateway and Lambda functions. However I presume I'm failing at creating/assigning roles and policies. Could you clarify this part a little bit? That would be awesome!

I've encountered the following error:

Execution failed due to configuration error: API Gateway does not have permission to assume the provided role

The point where I got lost is:

Copy and paste the same access policy we generated for the invocation role with the addition of the permission to invoke API Gateway...

from api-gateway-secure-pet-store.

David: I went through the same anxiety to figure out. I agree with you that document needs to be improved .

from api-gateway-secure-pet-store.

Thanks for your feedback guys. I will pull together a blog post soon.

This is a sample application that creates a pet store app in iOS, and its backend using Amazon API Gateway, AWS Lambda and DynamoDB. It shows off how you can connect API Gateway and Lambda, and also use AWS IAM (Identity and Access Management) to authorize calls to your APIs.

from api-gateway-secure-pet-store.

Just chiming in to add it would be great to have more, and clearer documentation.
I did go through it (minus the iOS app) and did get the API functional, but an overview that explained the moving parts in more detail would be great.
It may also be helpful to provide a link to the Amazon talk by Stefano Buliani which helps provide some high-level context for the application itself.
Building Secure and Scalable API's
http://www.slideshare.net/AmazonWebServices/dev203-amazon-api-gateway-aws-lambda-to-build-secure-apis
There may be a better place you can get the deck from.
Having said that, I certainly appreciate the excellent tutorial!

from api-gateway-secure-pet-store.

Thanks Loren, this is Stefano. I will update the readme to at least link to the slideshare and talk on youtube.

from api-gateway-secure-pet-store.

hi,

in iOS sample, the url is hard coded(NSString *URLString = @"https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/xxxx";). Is there a way to change the endpoint out of the library?

I mean since the library is generated by AWS, and the library might change in the future. I don't want to touch the library code.

- (instancetype)initWithConfiguration:(AWSServiceConfiguration *)configuration {
    if (self = [super init]) {
        _configuration = [configuration copy];
        // TODO: Change this to match your API deployment in Amazon API Gateway
        NSString *URLString = @"https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/xxxx";

        if ([URLString hasSuffix:@"/"]) {
            URLString = [URLString substringToIndex:[URLString length] - 1];
        }
        _configuration.endpoint = [[AWSEndpoint alloc] initWithRegion:_configuration.regionType
                                                              service:AWSServiceAPIGateway
                                                                  URL:[NSURL URLWithString:URLString]];

        AWSSignatureV4Signer *signer = [AWSSignatureV4Signer     signerWithCredentialsProvider:_configuration.credentialsProvider
                                                                                  endpoint:_configuration.endpoint];

        _configuration.baseURL = _configuration.endpoint.URL;
        _configuration.requestInterceptors = @[[AWSNetworkingRequestInterceptor new], signer];
    }

    return self;
}

Thanks

from api-gateway-secure-pet-store.

@avillegasn apologies for the delay. That error is generated because API Gateway does not have permissions to assume the IAM role in your account. Check the trust relationships on the role, the trust policy should look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

@zhihuitang At the moment the endpoint is a private variable in the constructor and is assigned to the _configuration variable. The client is capable of managing multiple instances of itself through the registerWithConfiguration and clientForKey static methods. You could setup your configuration manually, just like the init method does, to use a custom endpoint and then register the client with your configuration for the specific key:

1. Make sure that you make the endpoint property readonly at the top of your .m file

@interface AWSServiceConfiguration()

@property (nonatomic, strong) AWSEndpoint *endpoint;

@end

1. Create a custom config and initialize a client for that config with a custom endpoint

AWSServiceConfiguration *_config = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:nil];
_config.endpoint = [[AWSEndpoint alloc] initWithRegion:_config.regionType
                                                          service:AWSServiceAPIGateway
                                                              URL:[NSURL URLWithString:@"https://my-custom-endpoint.com"]];

AWSSignatureV4Signer *signer = [AWSSignatureV4Signer     
                                           signerWithCredentialsProvider:_config.credentialsProvider
                                                                              endpoint:_config.endpoint];    
_config.baseURL = _config.endpoint.URL;
_config.requestInterceptors = @[[AWSNetworkingRequestInterceptor new], signer];
[PETLambdaMicroserviceClient registerClientWithConfiguration:_config forKey:@"customEndpoint"]; 

1. You can now grab this instance of the client with:

PETLambdaMicroserviceClient *client = [PETLambdaMicroserviceClient clientForKey:@"customEndpoint"];

from api-gateway-secure-pet-store.

It would be great to get a CloudFormation template added that sets up for example the IAM Roles and Managed Policies, then puts their ARNs in the stack outputs to grab.

from api-gateway-secure-pet-store.

Couldn't find a link in the readme to the talk regarding this project, so here it is:
AWS re:Invent 2015 | (DEV203) Amazon API Gateway & AWS Lambda to Build Secure and Scalable APIs

from api-gateway-secure-pet-store.

Hi Stefano,
Thanks for your excellent demo! I am wondering is it possible to change the IOS app to an angular js web app? If so, how should I do it?
Thanks

from api-gateway-secure-pet-store.

You can use API Gateway to generate a JavaScript SDK for the browsers. You can get the JavaScript SDK from the "SDK Generation" tab of the Stage settings page.

from api-gateway-secure-pet-store.

Any way to request that via an API?

from api-gateway-secure-pet-store.

I did n't understand "Copy and paste the same access policy we generated for the invocation role with the addition of the permission to invoke API Gateway...", I have created seperate thread to understand its meaning ?

from api-gateway-secure-pet-store.

Hi i am new to aws. I was going through the code.I understand that there is LoginAction to authenticate user.But when calling GetList or CreatePet how is the credentials being passed to this actions?

Thanks
Ajay

from api-gateway-secure-pet-store.

Also i am building and ionic 2 app with facebook loging.If i have understood correctly, i need to host my cognito code behind an api gateway and call with /auth to return aws tokens and the use this token in subsequent request like /addproduct etc

Is tHis right?

from api-gateway-secure-pet-store.

@sirfak The login action returns a set of temporary AWS credentials (access key, secret key, and session token). These are automatically used by the SDK to sign requests to the APIs. API Gateway can automatically verify the signature on the requests.

• When credentials are refreshed the custom credentials provider on the client saves them in the SDK: https://github.com/awslabs/api-gateway-secure-pet-store/blob/master/src/main/resources/ios_sample/PetTest/APIGSessionCredentialsProvider.m#L60
• The API is configured with IAM authentication for all methods except register and login to verify the request signature: https://github.com/awslabs/api-gateway-secure-pet-store/blob/master/src/main/resources/swagger.yaml#L288

from api-gateway-secure-pet-store.

+1 to adding a CloudFormation for this example. I made a blog post that tries to help a reader understand how this works a little better. https://medium.com/@myyk/serverless-authenticated-applications-with-federated-fb-google-amazon-logins-7447ac0b8415#.9pmxctjar

I add to this repo by showing how to hook up the generated sdk to HTML and use that to make the authenticated calls to the api gateways which was easier for me to understand. myyk@9f5bd77

from api-gateway-secure-pet-store.

Hi
As my application grows, i am finding it hard (time taking) to upload the code to Lambda and then test.
I am using java sdk, On add new line of code, i have to upload (before running) to AWS lamda.

Is there any better approach to manage this?

thanks
sirfak

from api-gateway-secure-pet-store.