AWS API Gateway Security : Externalize IAM User Credentials












0















I am developer fairly new to AWS detailed Usage. In AWS, I have implemented a sample Serverless Architecture flow/application. The services used for layers are Dynamodb(DB)-Lamda(DAO)-API Gateway(API)-S3 Bucket(Presentation.)



I need to secure the API Gateway.



How can I:




  1. How to externalize IAM User credentials file using Javascript SDK instead of putting IAM User crentials in code, : a) In local windows b) for S3 Bucket.

  2. If I use credentials file, how would the JavaScript SDK Code know to use my AWS Account? From the IAM User credentials?

  3. Is there a way to create the credentials file using AWS Console, I do not yet know to use AWS CLI?


I checked implemented and implemented 3 ways out of from here for API Security: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html



1) Cognito User Pool 2) Usage Plan+API Key 3) IAM User Authentication : I Set AWS_IAM as Authorization type for api Gateway. I created an IAM User, attached an IAM policy with permission to Invoke the api. I followed this:
https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
and https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html



I feel that IAM User Authentication is the most secure, as we make SigV4 signed request. My specific question here is about putting and retrieving the IAM User credentials in an external file mentioned in documentation as ~/.aws/credentials. In general, please guide me further.



I am presently using JavaScript SDK, loading in Browser. In my local Windows System, I created the credentials file under C:UsersUSERNAME.awscredentials, in the format given as in here:https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html



I tried using the Javascript SDK CredentialProviderChain
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#constructor-property



My code is



var chain = new AWS.CredentialProviderChain();
chain.resolve(function(err, credentials)
{
console.log(err);
console.log(credentials);
});


I get "No Providers" error. I read in a comment for similar question that If using Javascript SDK loading in browser we cannot retrieve credentails from C:UsersUSERNAME .awscredentials file.



I have read related AWS documentations, not mentioning here.



Note: Later I need to implement code to be used in mobile app. If I implement sample using JavaScript, I need to guide the App Developer. I do not know Android by myself.



Update
As a step forward in using Javascript SDK, I have found these 2 links which i am studying:
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-browser.html
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html
Note, that I want to use IAM Authentication rather than Cognito authentication. Is Cognito authentication to be used if the final target is mobile apps ? Please guide.



Update
Using Javascript SDK, I Implemented this: a) Used an identity Pool b) Used Cognito User Pool as an Identity Provider. c) Wrote code to Log in a User Pool User, obtained ID Token. d) Obtained Temporary AWS Credentials using the Identity Pool.



So the question is : a) Is Authentication+Authorization using Identity Provider+Identity Pool, the only way to implement IAM Security for API Gateway ? b) How to implement security only using IAM Credentials ie is there way ahead without Authentication only using Authorization ?










share|improve this question





























    0















    I am developer fairly new to AWS detailed Usage. In AWS, I have implemented a sample Serverless Architecture flow/application. The services used for layers are Dynamodb(DB)-Lamda(DAO)-API Gateway(API)-S3 Bucket(Presentation.)



    I need to secure the API Gateway.



    How can I:




    1. How to externalize IAM User credentials file using Javascript SDK instead of putting IAM User crentials in code, : a) In local windows b) for S3 Bucket.

    2. If I use credentials file, how would the JavaScript SDK Code know to use my AWS Account? From the IAM User credentials?

    3. Is there a way to create the credentials file using AWS Console, I do not yet know to use AWS CLI?


    I checked implemented and implemented 3 ways out of from here for API Security: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html



    1) Cognito User Pool 2) Usage Plan+API Key 3) IAM User Authentication : I Set AWS_IAM as Authorization type for api Gateway. I created an IAM User, attached an IAM policy with permission to Invoke the api. I followed this:
    https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
    and https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html



    I feel that IAM User Authentication is the most secure, as we make SigV4 signed request. My specific question here is about putting and retrieving the IAM User credentials in an external file mentioned in documentation as ~/.aws/credentials. In general, please guide me further.



    I am presently using JavaScript SDK, loading in Browser. In my local Windows System, I created the credentials file under C:UsersUSERNAME.awscredentials, in the format given as in here:https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html



    I tried using the Javascript SDK CredentialProviderChain
    https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#constructor-property



    My code is



    var chain = new AWS.CredentialProviderChain();
    chain.resolve(function(err, credentials)
    {
    console.log(err);
    console.log(credentials);
    });


    I get "No Providers" error. I read in a comment for similar question that If using Javascript SDK loading in browser we cannot retrieve credentails from C:UsersUSERNAME .awscredentials file.



    I have read related AWS documentations, not mentioning here.



    Note: Later I need to implement code to be used in mobile app. If I implement sample using JavaScript, I need to guide the App Developer. I do not know Android by myself.



    Update
    As a step forward in using Javascript SDK, I have found these 2 links which i am studying:
    https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-browser.html
    https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html
    Note, that I want to use IAM Authentication rather than Cognito authentication. Is Cognito authentication to be used if the final target is mobile apps ? Please guide.



    Update
    Using Javascript SDK, I Implemented this: a) Used an identity Pool b) Used Cognito User Pool as an Identity Provider. c) Wrote code to Log in a User Pool User, obtained ID Token. d) Obtained Temporary AWS Credentials using the Identity Pool.



    So the question is : a) Is Authentication+Authorization using Identity Provider+Identity Pool, the only way to implement IAM Security for API Gateway ? b) How to implement security only using IAM Credentials ie is there way ahead without Authentication only using Authorization ?










    share|improve this question



























      0












      0








      0








      I am developer fairly new to AWS detailed Usage. In AWS, I have implemented a sample Serverless Architecture flow/application. The services used for layers are Dynamodb(DB)-Lamda(DAO)-API Gateway(API)-S3 Bucket(Presentation.)



      I need to secure the API Gateway.



      How can I:




      1. How to externalize IAM User credentials file using Javascript SDK instead of putting IAM User crentials in code, : a) In local windows b) for S3 Bucket.

      2. If I use credentials file, how would the JavaScript SDK Code know to use my AWS Account? From the IAM User credentials?

      3. Is there a way to create the credentials file using AWS Console, I do not yet know to use AWS CLI?


      I checked implemented and implemented 3 ways out of from here for API Security: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html



      1) Cognito User Pool 2) Usage Plan+API Key 3) IAM User Authentication : I Set AWS_IAM as Authorization type for api Gateway. I created an IAM User, attached an IAM policy with permission to Invoke the api. I followed this:
      https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
      and https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html



      I feel that IAM User Authentication is the most secure, as we make SigV4 signed request. My specific question here is about putting and retrieving the IAM User credentials in an external file mentioned in documentation as ~/.aws/credentials. In general, please guide me further.



      I am presently using JavaScript SDK, loading in Browser. In my local Windows System, I created the credentials file under C:UsersUSERNAME.awscredentials, in the format given as in here:https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html



      I tried using the Javascript SDK CredentialProviderChain
      https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#constructor-property



      My code is



      var chain = new AWS.CredentialProviderChain();
      chain.resolve(function(err, credentials)
      {
      console.log(err);
      console.log(credentials);
      });


      I get "No Providers" error. I read in a comment for similar question that If using Javascript SDK loading in browser we cannot retrieve credentails from C:UsersUSERNAME .awscredentials file.



      I have read related AWS documentations, not mentioning here.



      Note: Later I need to implement code to be used in mobile app. If I implement sample using JavaScript, I need to guide the App Developer. I do not know Android by myself.



      Update
      As a step forward in using Javascript SDK, I have found these 2 links which i am studying:
      https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-browser.html
      https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html
      Note, that I want to use IAM Authentication rather than Cognito authentication. Is Cognito authentication to be used if the final target is mobile apps ? Please guide.



      Update
      Using Javascript SDK, I Implemented this: a) Used an identity Pool b) Used Cognito User Pool as an Identity Provider. c) Wrote code to Log in a User Pool User, obtained ID Token. d) Obtained Temporary AWS Credentials using the Identity Pool.



      So the question is : a) Is Authentication+Authorization using Identity Provider+Identity Pool, the only way to implement IAM Security for API Gateway ? b) How to implement security only using IAM Credentials ie is there way ahead without Authentication only using Authorization ?










      share|improve this question
















      I am developer fairly new to AWS detailed Usage. In AWS, I have implemented a sample Serverless Architecture flow/application. The services used for layers are Dynamodb(DB)-Lamda(DAO)-API Gateway(API)-S3 Bucket(Presentation.)



      I need to secure the API Gateway.



      How can I:




      1. How to externalize IAM User credentials file using Javascript SDK instead of putting IAM User crentials in code, : a) In local windows b) for S3 Bucket.

      2. If I use credentials file, how would the JavaScript SDK Code know to use my AWS Account? From the IAM User credentials?

      3. Is there a way to create the credentials file using AWS Console, I do not yet know to use AWS CLI?


      I checked implemented and implemented 3 ways out of from here for API Security: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html



      1) Cognito User Pool 2) Usage Plan+API Key 3) IAM User Authentication : I Set AWS_IAM as Authorization type for api Gateway. I created an IAM User, attached an IAM policy with permission to Invoke the api. I followed this:
      https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
      and https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html



      I feel that IAM User Authentication is the most secure, as we make SigV4 signed request. My specific question here is about putting and retrieving the IAM User credentials in an external file mentioned in documentation as ~/.aws/credentials. In general, please guide me further.



      I am presently using JavaScript SDK, loading in Browser. In my local Windows System, I created the credentials file under C:UsersUSERNAME.awscredentials, in the format given as in here:https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html



      I tried using the Javascript SDK CredentialProviderChain
      https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#constructor-property



      My code is



      var chain = new AWS.CredentialProviderChain();
      chain.resolve(function(err, credentials)
      {
      console.log(err);
      console.log(credentials);
      });


      I get "No Providers" error. I read in a comment for similar question that If using Javascript SDK loading in browser we cannot retrieve credentails from C:UsersUSERNAME .awscredentials file.



      I have read related AWS documentations, not mentioning here.



      Note: Later I need to implement code to be used in mobile app. If I implement sample using JavaScript, I need to guide the App Developer. I do not know Android by myself.



      Update
      As a step forward in using Javascript SDK, I have found these 2 links which i am studying:
      https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-browser.html
      https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html
      Note, that I want to use IAM Authentication rather than Cognito authentication. Is Cognito authentication to be used if the final target is mobile apps ? Please guide.



      Update
      Using Javascript SDK, I Implemented this: a) Used an identity Pool b) Used Cognito User Pool as an Identity Provider. c) Wrote code to Log in a User Pool User, obtained ID Token. d) Obtained Temporary AWS Credentials using the Identity Pool.



      So the question is : a) Is Authentication+Authorization using Identity Provider+Identity Pool, the only way to implement IAM Security for API Gateway ? b) How to implement security only using IAM Credentials ie is there way ahead without Authentication only using Authorization ?







      amazon-web-services aws-api-gateway aws-iam aws-sdk-js






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 4 '18 at 6:30







      Bhargava

















      asked Nov 16 '18 at 13:26









      BhargavaBhargava

      10914




      10914
























          0






          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53338818%2faws-api-gateway-security-externalize-iam-user-credentials%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53338818%2faws-api-gateway-security-externalize-iam-user-credentials%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Guess what letter conforming each word

          Port of Spain

          Run scheduled task as local user group (not BUILTIN)