I see AWS announced a new extension for lambda to catch secret manager: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html
In the doc, they only mention how to use it in http request. I wonder whether it works for aws sdk? From my understanding, aws sdk uses http underneath. If I use aws sdk to query secret will the extension catches the value to save cost?
Related
I'm using C++ client to invoke AWS API gateway functions. currently I'm using curl to directly send HTTP requests to the APIs. I downloaded the AWS C++ SDK and I can see that there is a "apigateway" folder inside the SDK package.
However, I could not find any information how to use this apigateway SDK - how to invoke API gateway functions and how to integrate with authorization as specified in Amazon Signature V4 documentation:
When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the security credentials you specify when you configure the tools
Is there any information available of how to work with the apigateway SDK?
I have a browser app that interacts with S3. Since it was mostly an in-house tool, after handling authenticating to an API, it directly received the ID and secret for a very restricted IAM user which was then used to setup the AWS SDK in the browser.
I am now trying to change that app to use Cognito for authentication, so it can be accessed by external users without compromising our security.
I wound up using AWS Amplify just to handle the authentication part, and now I'm trying to figure out if there's a way of using the credentials I get from Cognito to setup the AWS JavaScript SDK and replicate the same functionality from that point on. (The way Amplify currently handles interaction with S3 does not cover all of the app's needs)
Is there a way of doing this? I find the SDK documentation extremely confusing, and have been unable to determine if what I'm trying to do can be done at all.
Additionally, if there's a way to use the JS SDK only (without Amplify) to login a user via Cognito, that would also be preferable to me, but that's a secondary concern.
Yes, you can easily do this with Amplify, and I recommend this approach.
Here's an example from the docs using the Route53 module from the AWS JS SDK, but you can use any of the AWS modules of course.
Via https://aws-amplify.github.io/docs/js/authentication#working-with-aws-service-objects
import Route53 from 'aws-sdk/clients/route53';
Auth.currentCredentials()
.then(credentials => {
const route53 = new Route53({
apiVersion: '2013-04-01',
credentials: Auth.essentialCredentials(credentials)
});
// more code working with route53 object
// route53.changeResourceRecordSets();
})
I get an error while invoking the AWS SageMaker endpoint API from a Lambda function. When I call this using Postman, I am getting an error like:
{
"errorMessage": "module initialization error"
}
Just to make it clear, you can't call SageMaker endpoints directly using PostMan (even if it is, it would not be straightforward).
You may need to use AWS SDK (i.e. boto) for that.
Ref : https://aws.amazon.com/blogs/machine-learning/call-an-amazon-sagemaker-model-endpoint-using-amazon-api-gateway-and-aws-lambda/
What I would suggest is to create a small HTTP server with Flask and use the AWS SDK (Boto) to call the endpoint. Then you can call your Flask endpoint using PostMan.
We recommend using AWS SDK to invoke your endpoint. AWS SDK clients handle the serialization for you as well as request signing, etc. It would be really hard to get it right manually with postman.
We have the SDK client available in many languages, including Java, Python, JS, etc.
https://docs.aws.amazon.com/sagemaker/latest/dg/API_runtime_InvokeEndpoint.html#API_runtime_InvokeEndpoint_SeeAlso
Next time please include more details in your question. eg. POST request data, Headers etc.
Anyways, to help you out in calling Sagemaker endpoint using Postman -
In 'Authorization' tab, select type as 'AWS Signature'.
Enter your Access and Secret key of the IAM user which has permission to Sagemaker resources.
Enter the AWS region. eg.us-east-1
Enter 'Service Name' as 'sagemaker'
Select the right content type. Some ML algorithms only accept 'text/csv'.
Select request type as 'POST'
Enter the Sagemaker Invocation url. eg:'https://runtime.sagemaker.us-east-1.amazonaws.com/endpoints/xgboost-xxxx-xx-xx-xx-xx-xx-xxx/invocations'
Try it out and let me know if you have any issues.
Here is how your Postman should look -
I am creating a backend service which will be getting requests from an Android application regarding creating of some service requests. These service requests will contain details about the the service items and also some images related to the request. We want to use S3 for storing the images directly from the android application and getting the key of the image saved through an API call on the backend service.
The problem with this approach is the authorization of the mobile application to access the shared bucket.
If we save the access key of the shared bucket in the application, this code can be decompiled and the secret will be compromised.
Another option is to create an API on the backend service which will give back the authorization key to the mobile application before it needs to put the image to S3. In this way we can also rotate the secrets periodically.
Which of these approach is better in terms of security? Is there any other approach which I am missing? It sounds like a standard access practice of using S3 for saving files, so there must be something for this particular scenario.
You don't need to invent an API to do this - AWS provides its STS service for just this use case.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
To request temporary security credentials, you can use the AWS STS API actions.
To call the APIs, you can use one of the AWS SDKs, which are available
for a variety of programming languages and environments, including
Java, .NET, Python, Ruby, Android, and iOS. The SDKs take care of
tasks such as cryptographically signing your requests, retrying
requests if necessary, and handling error responses. You can also use
the AWS STS Query API, which is described in the AWS Security Token
Service API Reference. Finally, two command line tools support the AWS
STS commands: the AWS Command Line Interface, and the AWS Tools for
Windows PowerShell.
The AWS STS API actions return temporary security credentials that
consist of an access key and a session token. The access key consists
of an access key ID and a secret key. Users (or an application that
the user runs) can use these credentials to access your resources.
When the credentials are created, they are associated with an IAM
access control policy that limits what the user can do when using the
credentials. For more information, see Using Temporary Security
Credentials to Request Access to AWS Resources.
Is there any AWS ElasticSearch Client SDK for Java, which signs the requests with AWS credentials? I saw this, but I guess its for managing AWS Elasticsearch Service.
You can create AWS client for Elasticsearch in the following way:
AwsClientBuilder.withCredentials(AWSCredentialsProvider) for example: AWSElasticsearchClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCredentials)).build();
How I do this is by first creating AWSBasicSessionCredential instance by providing awsAccessKey, awsSecretKey, and sessionToken information and then passing this instance in the above code to build the client instance. However, I do this for test programming the clients. Its not advised to create a client this way though. For example, one secure way would be using federated identification to generate a temporary security token and then use that to assume a role through AWS' AssumeRoleRequest, receive its response in the form of AssumeRoleResult and then retrieve credential information from the assumeRoleResult response received above. Use this credential information in generating AWSCredential.
Source of generating AWS Elasticsearch client.