AWS API Gateway Security : Externalize IAM User Credentials
I am developer fairly new to AWS detailed Usage. In AWS, I have implemented a sample Serverless Architecture flow/application. The services used for layers are Dynamodb(DB)-Lamda(DAO)-API Gateway(API)-S3 Bucket(Presentation.)
I need to secure the API Gateway.
How can I:
- How to externalize IAM User credentials file using Javascript SDK instead of putting IAM User crentials in code, : a) In local windows b) for S3 Bucket.
- If I use credentials file, how would the JavaScript SDK Code know to use my AWS Account? From the IAM User credentials?
- Is there a way to create the credentials file using AWS Console, I do not yet know to use AWS CLI?
I checked implemented and implemented 3 ways out of from here for API Security: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html
1) Cognito User Pool 2) Usage Plan+API Key 3) IAM User Authentication : I Set AWS_IAM as Authorization type for api Gateway. I created an IAM User, attached an IAM policy with permission to Invoke the api. I followed this:
https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
and https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
I feel that IAM User Authentication is the most secure, as we make SigV4 signed request. My specific question here is about putting and retrieving the IAM User credentials in an external file mentioned in documentation as ~/.aws/credentials. In general, please guide me further.
I am presently using JavaScript SDK, loading in Browser. In my local Windows System, I created the credentials file under C:UsersUSERNAME.awscredentials, in the format given as in here:https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html
I tried using the Javascript SDK CredentialProviderChain
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#constructor-property
My code is
var chain = new AWS.CredentialProviderChain();
chain.resolve(function(err, credentials)
{
console.log(err);
console.log(credentials);
});
I get "No Providers" error. I read in a comment for similar question that If using Javascript SDK loading in browser we cannot retrieve credentails from C:UsersUSERNAME .awscredentials file.
I have read related AWS documentations, not mentioning here.
Note: Later I need to implement code to be used in mobile app. If I implement sample using JavaScript, I need to guide the App Developer. I do not know Android by myself.
Update
As a step forward in using Javascript SDK, I have found these 2 links which i am studying:
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-browser.html
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html
Note, that I want to use IAM Authentication rather than Cognito authentication. Is Cognito authentication to be used if the final target is mobile apps ? Please guide.
Update
Using Javascript SDK, I Implemented this: a) Used an identity Pool b) Used Cognito User Pool as an Identity Provider. c) Wrote code to Log in a User Pool User, obtained ID Token. d) Obtained Temporary AWS Credentials using the Identity Pool.
So the question is : a) Is Authentication+Authorization using Identity Provider+Identity Pool, the only way to implement IAM Security for API Gateway ? b) How to implement security only using IAM Credentials ie is there way ahead without Authentication only using Authorization ?
amazon-web-services aws-api-gateway aws-iam aws-sdk-js
add a comment |
I am developer fairly new to AWS detailed Usage. In AWS, I have implemented a sample Serverless Architecture flow/application. The services used for layers are Dynamodb(DB)-Lamda(DAO)-API Gateway(API)-S3 Bucket(Presentation.)
I need to secure the API Gateway.
How can I:
- How to externalize IAM User credentials file using Javascript SDK instead of putting IAM User crentials in code, : a) In local windows b) for S3 Bucket.
- If I use credentials file, how would the JavaScript SDK Code know to use my AWS Account? From the IAM User credentials?
- Is there a way to create the credentials file using AWS Console, I do not yet know to use AWS CLI?
I checked implemented and implemented 3 ways out of from here for API Security: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html
1) Cognito User Pool 2) Usage Plan+API Key 3) IAM User Authentication : I Set AWS_IAM as Authorization type for api Gateway. I created an IAM User, attached an IAM policy with permission to Invoke the api. I followed this:
https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
and https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
I feel that IAM User Authentication is the most secure, as we make SigV4 signed request. My specific question here is about putting and retrieving the IAM User credentials in an external file mentioned in documentation as ~/.aws/credentials. In general, please guide me further.
I am presently using JavaScript SDK, loading in Browser. In my local Windows System, I created the credentials file under C:UsersUSERNAME.awscredentials, in the format given as in here:https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html
I tried using the Javascript SDK CredentialProviderChain
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#constructor-property
My code is
var chain = new AWS.CredentialProviderChain();
chain.resolve(function(err, credentials)
{
console.log(err);
console.log(credentials);
});
I get "No Providers" error. I read in a comment for similar question that If using Javascript SDK loading in browser we cannot retrieve credentails from C:UsersUSERNAME .awscredentials file.
I have read related AWS documentations, not mentioning here.
Note: Later I need to implement code to be used in mobile app. If I implement sample using JavaScript, I need to guide the App Developer. I do not know Android by myself.
Update
As a step forward in using Javascript SDK, I have found these 2 links which i am studying:
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-browser.html
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html
Note, that I want to use IAM Authentication rather than Cognito authentication. Is Cognito authentication to be used if the final target is mobile apps ? Please guide.
Update
Using Javascript SDK, I Implemented this: a) Used an identity Pool b) Used Cognito User Pool as an Identity Provider. c) Wrote code to Log in a User Pool User, obtained ID Token. d) Obtained Temporary AWS Credentials using the Identity Pool.
So the question is : a) Is Authentication+Authorization using Identity Provider+Identity Pool, the only way to implement IAM Security for API Gateway ? b) How to implement security only using IAM Credentials ie is there way ahead without Authentication only using Authorization ?
amazon-web-services aws-api-gateway aws-iam aws-sdk-js
add a comment |
I am developer fairly new to AWS detailed Usage. In AWS, I have implemented a sample Serverless Architecture flow/application. The services used for layers are Dynamodb(DB)-Lamda(DAO)-API Gateway(API)-S3 Bucket(Presentation.)
I need to secure the API Gateway.
How can I:
- How to externalize IAM User credentials file using Javascript SDK instead of putting IAM User crentials in code, : a) In local windows b) for S3 Bucket.
- If I use credentials file, how would the JavaScript SDK Code know to use my AWS Account? From the IAM User credentials?
- Is there a way to create the credentials file using AWS Console, I do not yet know to use AWS CLI?
I checked implemented and implemented 3 ways out of from here for API Security: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html
1) Cognito User Pool 2) Usage Plan+API Key 3) IAM User Authentication : I Set AWS_IAM as Authorization type for api Gateway. I created an IAM User, attached an IAM policy with permission to Invoke the api. I followed this:
https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
and https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
I feel that IAM User Authentication is the most secure, as we make SigV4 signed request. My specific question here is about putting and retrieving the IAM User credentials in an external file mentioned in documentation as ~/.aws/credentials. In general, please guide me further.
I am presently using JavaScript SDK, loading in Browser. In my local Windows System, I created the credentials file under C:UsersUSERNAME.awscredentials, in the format given as in here:https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html
I tried using the Javascript SDK CredentialProviderChain
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#constructor-property
My code is
var chain = new AWS.CredentialProviderChain();
chain.resolve(function(err, credentials)
{
console.log(err);
console.log(credentials);
});
I get "No Providers" error. I read in a comment for similar question that If using Javascript SDK loading in browser we cannot retrieve credentails from C:UsersUSERNAME .awscredentials file.
I have read related AWS documentations, not mentioning here.
Note: Later I need to implement code to be used in mobile app. If I implement sample using JavaScript, I need to guide the App Developer. I do not know Android by myself.
Update
As a step forward in using Javascript SDK, I have found these 2 links which i am studying:
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-browser.html
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html
Note, that I want to use IAM Authentication rather than Cognito authentication. Is Cognito authentication to be used if the final target is mobile apps ? Please guide.
Update
Using Javascript SDK, I Implemented this: a) Used an identity Pool b) Used Cognito User Pool as an Identity Provider. c) Wrote code to Log in a User Pool User, obtained ID Token. d) Obtained Temporary AWS Credentials using the Identity Pool.
So the question is : a) Is Authentication+Authorization using Identity Provider+Identity Pool, the only way to implement IAM Security for API Gateway ? b) How to implement security only using IAM Credentials ie is there way ahead without Authentication only using Authorization ?
amazon-web-services aws-api-gateway aws-iam aws-sdk-js
I am developer fairly new to AWS detailed Usage. In AWS, I have implemented a sample Serverless Architecture flow/application. The services used for layers are Dynamodb(DB)-Lamda(DAO)-API Gateway(API)-S3 Bucket(Presentation.)
I need to secure the API Gateway.
How can I:
- How to externalize IAM User credentials file using Javascript SDK instead of putting IAM User crentials in code, : a) In local windows b) for S3 Bucket.
- If I use credentials file, how would the JavaScript SDK Code know to use my AWS Account? From the IAM User credentials?
- Is there a way to create the credentials file using AWS Console, I do not yet know to use AWS CLI?
I checked implemented and implemented 3 ways out of from here for API Security: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html
1) Cognito User Pool 2) Usage Plan+API Key 3) IAM User Authentication : I Set AWS_IAM as Authorization type for api Gateway. I created an IAM User, attached an IAM policy with permission to Invoke the api. I followed this:
https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
and https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
I feel that IAM User Authentication is the most secure, as we make SigV4 signed request. My specific question here is about putting and retrieving the IAM User credentials in an external file mentioned in documentation as ~/.aws/credentials. In general, please guide me further.
I am presently using JavaScript SDK, loading in Browser. In my local Windows System, I created the credentials file under C:UsersUSERNAME.awscredentials, in the format given as in here:https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html
I tried using the Javascript SDK CredentialProviderChain
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html#constructor-property
My code is
var chain = new AWS.CredentialProviderChain();
chain.resolve(function(err, credentials)
{
console.log(err);
console.log(credentials);
});
I get "No Providers" error. I read in a comment for similar question that If using Javascript SDK loading in browser we cannot retrieve credentails from C:UsersUSERNAME .awscredentials file.
I have read related AWS documentations, not mentioning here.
Note: Later I need to implement code to be used in mobile app. If I implement sample using JavaScript, I need to guide the App Developer. I do not know Android by myself.
Update
As a step forward in using Javascript SDK, I have found these 2 links which i am studying:
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-browser.html
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html
Note, that I want to use IAM Authentication rather than Cognito authentication. Is Cognito authentication to be used if the final target is mobile apps ? Please guide.
Update
Using Javascript SDK, I Implemented this: a) Used an identity Pool b) Used Cognito User Pool as an Identity Provider. c) Wrote code to Log in a User Pool User, obtained ID Token. d) Obtained Temporary AWS Credentials using the Identity Pool.
So the question is : a) Is Authentication+Authorization using Identity Provider+Identity Pool, the only way to implement IAM Security for API Gateway ? b) How to implement security only using IAM Credentials ie is there way ahead without Authentication only using Authorization ?
amazon-web-services aws-api-gateway aws-iam aws-sdk-js
amazon-web-services aws-api-gateway aws-iam aws-sdk-js
edited Dec 4 '18 at 6:30
Bhargava
asked Nov 16 '18 at 13:26
BhargavaBhargava
10914
10914
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53338818%2faws-api-gateway-security-externalize-iam-user-credentials%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53338818%2faws-api-gateway-security-externalize-iam-user-credentials%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown