I have a scenario where I am consuming an external API that only responds if you are authenticated. The Auth is client credentials based auth i.e service to service not intended for end-users.
I am designing a client microservice that talks to this external API. However, once this microservice scales how do I share the access token returned by the external API between all instances of the client microservice?
Thank you so much for reading have a nice day!
Note: I am using AWS ECS.
You would need to store the token in some central location where other instances of the service can read it. AWS Secrets Manager, AWS Parameter Store, and DynamoDB are all good possible locations for storing that token.
Also, you won't be able to use the ECS integration with Secrets Manager or Parameter Store for this. Since the value can change while ECS tasks are running, you'll need to write custom code in your application that reads and updates the value as needed.
Related
I have been doing some research about using some AWS service as OAUTH2 for our application running in 3 docker containers (backend, frontend, database). Backend has an API which is not open to public obviously and accessible only within docker network. We are looking for extending our app with a chat service, which we want to implement as a service, so we build our app following microservices architecture, since we will add other services later on. So when user logs into our app, his session will be also "shared" with chat service.
Our chat service will be using sockets and since sockets require direct connection to user resources, we can not just implement an integration layer which will supply all resources required by chat service, but we have to either:
implement sockets within our application API (which we dont want to do, we want it as microservice),
open API endpoints for chat service to use, but this option requires OAUTH2 and thats what we try to deal with.
I am not sure if there is some other way to handle this and be also ready for a long run, but if this works, which AWS service would fit the best for us to use, which would play OAUTH2 role for handling security in this matter?
I also checked this post but it didn't help me much in my case. I'm open to any suggestions, I've checked AWS lambda, AWS cognito, AWS amplify, pretty confusing, many features, we don't want to overload the architecture with features we don't need.
What exactly is the thing you want? User accounts managed by AWS? Use cognito.
Users logging in with Apple, Facebook, Etc? Use cognito again.
Just have some backend code that once a user logs in, create a token or session so they can chat with that.
There are many youtube videos on AWS cognito but a lot of them suck. The best one is written in React but before they came out with hooks. Here is part one. https://www.youtube.com/watch?v=EaDMG4amEfk
I'm trying to create an external API using AWS API Gateway that will give users access to data stored in multiple databases. The APIs will mostly be accessed through scripts rather than through a web UI.
Are there any AWS services I can use to manage user access to my API?
I've read a little bit about Amazon Cognito and OAuth 2 but at a glance it seems like those might be more targeted towards cases with a UI for users to interact with. Is there a way to create and manage API keys with AWS?
Thanks in advance for your help!
You can use API Gateway Lambda Authorizer to write your custom login integration. For example a lambda that check in one Database if the user:password (passed as authorization header) exists in table in DynamoDB or SQL.
I have a service listening on 'https://myapp.a.run.app/dosomething', but I want to leverage the scalability features of Cloud Run, so in the controller for 'dosomething', I send off 10 requests to 'https://myapp.a.run.app/smalltask'; with my app configured to allow servicing of only one request per instance, I expect 10 instances to spin up, all do their smalltask, and return (all within the timeout period).
But I don't know how to properly authenticate the request, so those 10 requests all result in 403's. For Cloud Run services, I manually pass in a bearer token with the initial request, though I expect to add some api proxy at some point. But without said API proxy, what's the right way to send the request such that it is accepted? The app is running as a user that does have permissions to access the endpoint.
Authenticating service-to-service
If your architecture is using multiple services, these services will likely need to communicate with each other.
You can use synchronous or asynchronous service-to-service communication:
For asynchronous communication, use
Cloud Tasks for one to one asynchronous communication
Pub/Sub for one to many asynchronous communication
Cloud Scheduler for regularly scheduled asynchronous communication.
Cloud Workflows for orchestration services.
For synchronous communication
One service invokes another one over HTTP using its endpoint URL. In this use case, it's a good idea to ensure that each service is only able to make requests to specific services. For instance, if you have a login service, it should be able to access the user-profiles service, but it probably shouldn't be able to access the search service.
First, you'll need to configure the receiving service to accept requests from the calling service:
Grant the Cloud Run Invoker (roles/run.invoker) role to the calling service identity on the receiving service. By default, this identity is PROJECT_NUMBER-compute#developer.gserviceaccount.com.
In the calling service, you'll need to:
Create a Google-signed OAuth ID token with the audience (aud) set to the URL of the receiving service. This value must contain the schema prefix (http:// or https://) and custom domains are currently not supported for the aud value.
Include the ID token in an Authorization: Bearer ID_TOKEN header. You can get this token from the metadata server, while the container is running on Cloud Run (fully managed). If the application is running outside Google Cloud, you can generate an ID token from a service account key file.
For a full guide and examples in Node/Python/Go/Java and others see: Authenticating service-to-service
I want to use Cognito for authentification and s3 to store files (images) for a new app (ionic 3). But AWS isn't simple to use and as soon as I start doing something, I need to read another doc somewhere and end up with 15 tabs of documentation open. With twice as many questions.
Do I need a server (nodejs on EC2), lambda (??) or everything can be serverless (direct access to Cognito and s3)? I wish to implement a subscription system at some point.
The user should have access to a list of images (like an infographic) only if he is subscribed. The app is aimed to be deployed on Play store and iOS.
Does the user (mail/password) exist ?
Is he subscribed (monthly) ?
access to the database (read-only)
Based on the app features that you provided, you can use the following:
AWS Cognito for user authentication
AWS API Gateway and AWS Lambda for your backend REST (or GraphQL) API
AWS DynamoDB for database (or Amazon RDS if you want to use an SQL database)
AWS S3 for image storage
If your app is really basic, I think you can even skip 2 and 3.
I have an ASP.NET web api running on a Windows EC2 instance together with DynamoDB data layer. I've been looking for alternative choices on aws to secure my web api.
For that purpose, I read AWS STS and API Gateway docs. API Gateway is the first choice but I wouldn't like to use it because it forces me to learn node.js.
Cognito seems the best choice for me because it will also handle both mobil and web users. I know that Cognito also provide security on aws resources.
My question is:
Is it possible to secure Web APIs running on EC2 instances without using security tokens. Can cognito control all incoming API calls without need any additional security steps?
Thanks