Say you have a Mulesoft API which has a custom policy applied. The policy would encrypt a value (eg. accountId) of the response from the API. Is it possible to call this custom policy through a postman script where you'd send an accountId and get the encrypted value? How do you validate a custom policy in Mulesoft?
Assuming your API is a REST API the received JSON (or XML) you send to it an HTTP request and check that the answer is the expected one. You can't really test the policy directly. A policy modifies the input or output of an API. You need to apply it to an API and observe the results. Any HTTP client (postman, curl) or your preferred programming language should work as a client. That's the point of using HTTP.
Related
Use Case: I need to perform an API request mapping that requires data from DynamoDB.
Desired Solution: I'd like to do this using API Gateway features if possible, which would look something like this:
An external REST API request is received by API Gateway
A Proxy Resource extracts a parameter, say accountId, from the HTTP path
A Service Integration (GetItem) reads a set of values from DynamoDB using the accountId key
The values read from the DB are input to a Request Mapper VTL template
The transformed API request is then sent to an HTTP Integration endpoint
Questions:
Is that possible to do using API Gateway out-of-the-box or is that sequence too advanced?
If it's not possible, then is a lambda the best option to do most of this work (read DB, transform request, route HTTP)?
Thanks for your help!
API Gateway will not make DB queries for you. Routing this through a Lambda function is the best option here.
I am using AWS API Gateway for Communicating with Action on Google Console to AWS Lambda. In this scenario I am making a post call and I want to find the user in this call. I came to know that this is sent in the header. So I did the Following Steps:
Created a resource and method and that's working fine data is being passed successfuly between each other.
Now I want to pass the header to find the user so what I did was I use the authorizer from AWS API gateway console and then clicked on Create a authorizer.
Now I am confused in this scenario I want a header and body so what should I send it has in Lambda Event Payload.
Either Token or payload in case of token it's only sending the authorization part as a header.
So According to my understanding In my scenario I'll be needing Request. But in request what should I add as Identity Sources for header in the console.
Actually for the Above Problem We need to do the Implementation in Integration request in the AWS API Console. Go to the Mapping template in Integration request.
For Futher references use this article
I want to use api-keys for authorization and grouping users for accesing the api's in API Gateway. The requests will be sent from web-page using javascript calls.
Is there any way to encrypt the api-keys?
Lets say I am able to encrypt it, will it be beneficial at all? Because someone can still see the encrypted api-keys and use it, and it will still work, because anyhow i will be decrypting it somewhere.
Is there any better way?
You cannot protect your API keys for authorization when your API calls are initiated from the client (i.e., JavaScript). As you said, there will be no point of encrypting them as well. You'll need to have an authorization provider that can return the API key as part of the response.
API Gateway allows you to have custom authorizer for your API. See Output from an Amazon API Gateway Custom Authorizer.
I'm currently building a simple API with AWS API Gateway. I'll use Auth0 for the authentification. I've created a simple lambda function which will deliver some JSON content on a GET request. Without authentication, it's working. So I've created a custom authorizer for the API using a lambda call. Testing only this lambda call with valid token is working. Testing the custom authorizer with token is working and also testing the specific GET request with valid token is working. Now I want to use postman to check the API but there I get an 401. Anybody an idea what could be the problem ? Thanks for your help.
Initially check Token Source in your API gateway. The value of it should be 'Authorization' not 'method.request.header.Authorization'
If above settings is correct then see how to invoke it from POSTMAN
To call an API with the custom TOKEN authorizer
Open Postman, choose the GET method and paste the API's Invoke URL
into the adjacent URL field.
Add the custom authorization token header and set the value to allow. Choose Send.
Worth read - http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html#call-api-with-api-gateway-custom-authorization
I'd like to add a default throttled API key for unauthenticated requests to prevent abuse.
How would I do this in API Gateway?
EDIT
To make it clearer what I need, how do I transform a request in API Gateway? Is this possible?
I would say using Cognito is the best way of authorizing API gateway.
If you want a default API key then you can go for custom API gateway authorizer. Please have a look on official documentation for the same here
You need to store the API Key in the Server Side of your application and shouldn't expose it to the Client Side (Although API Key is not considered as a security token, it can be used by malicious party to call your API).
There are couple of options you have based on the nature of your application consuming the API.
If it is a single page web application where front-end is hosted in S3, you can use AWS CloudFront to store the API Key in headers and forward it to the API Gateway, while also serving the frontend through the same CloudFront distribution. This will also remove the cross origin resource sharing problem between your web application and API Gateway.
If you have a web server, you can store the API Key at Web Server and use to proxy request to the API Gateway while setting the API Key header value.
Note: Don't use API Key for authentication which is not recommended.
This is how I would solve it.
Create Usage Plan with the throttle, burst and max limit on the request allowed.
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/APIGateway.html#createUsagePlan-property
API Key:
Create API Key (createApiKey) and associate it (createUsagePlanKey) with Usage Plan already defined. That will allow the limit defined for the requests received.
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/APIGateway.html#createApiKey-property
http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/APIGateway.html#createUsagePlanKey-property
Have a separate lambda to monitor the Generated API-Keys and cleanup once it is expired, so you will not flood API-Gateway with unused keys.
If you take it to CloudFront, you can create Self Signed URL, that will be valid for a given period of time. After that time limit URL will be invalid. This is to keep yourself time-limited for the user, so within the given timelimit, what resource they can access.
One more usecase, we worked on, you can authenticate the user only on certain urls with custom Authorizer. Any other urls that get invokes, will return unauthorized without any additional code.
Hope it helps.