I'm learning serverless architectures and currently reading this article on Martin Fowler's blog.
So I see this scheme and try to replace the abstract components with AWS solutions. I wonder if not using API gateway to control access to S3 a good idea (on the image the database no.2 is not using it). Martin speaks about Google Firebase and I'm not familiar with how it compares to S3.
https://martinfowler.com/articles/serverless/sps.svg
Is it a common strategy to expose S3 to client-side applications without configuring an API gateway as a proxy between them?
To answer your question - probably, yes.
But, you’ve made a mistake in selecting AWS services for the abstract in Martin’s blog. And you probably shouldn’t use S3 at all in the way you’re describing.
Instead of S3; you’ll want dynamoDB. You’ll also want to look at Cognito for auth.
Have a read of this after Martin’s article for how to apply what you’ve learned on AWS specific services https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app-lambda-apigateway-s3-dynamodb-cognito/
Aws S3 is not a database, its an object storage service.
Making S3 bucket publicly accessible is possible but not recommended however, you can access its objects using the S3 API either via the CLI or the SDK.
Back to your question in the comments regarding whether consuming the API directly from the frontend (assuming you mean using JS) is for sure a bad practic since AWS highly recommend you to securly store your API credentials (keys), and as any AWS API call should include the API credentials (keys) provided by AWS for your IAM user, then obviously anyone using your web application can see these keys.
Hope this answered your question.
Related
Is there an API/way to programmatically query AWS documentation for a specific service? For instance, I want to know the encryption algorithm used by a service for protecting data at rest. Can I write a script that will automatically query AWS documentation for that service and give me this information?
There is no API for AWS Documentation.
However, the AWS CLI is open-source and it has data files that detail all API calls and their parameters.
It would not, however, contain the encryption algorithms. That is internal to Amazon S3 and is not shared publicly.
I have a simple shell script which issues several commands using awscli and displays information to the screen. It depends on having correct settings in ~/.aws/config and ~/.aws/credentials. I want to distribute it to about 10 users who have IAM accounts with limited privileges. However I don't want to use the shell - I want something cross-platform, easy to use for the users and easy for me to update. So I decided that I want to create a simple web application in JS instead, using the AWS SDK.
It seems that this use case is specifically supported by AWS, the first bullet point under "Common Use Cases" in What Is the AWS SDK for JavaScript? is "Build a custom console to AWS services in which you access and combine features across Regions and services to best meet your organizational or project needs" which exactly describes what I want to do.
The problem is that I can't find the relevant documentation on how to perform the user authentication. All the examples that I was able to find talk about some "Amazon Cognito" service and discuss much more complicated use cases, such as authenticating pools of external users through an external authentication provider and mapping them to IAM roles, which sounds too complicated for what I want to do. Is there a way to just authenticate the users that I have with their IAM user/password, and authorize them to access the AWS services based on their existing IAM permissions? Or is using Cognito, creating additional roles, etc. mandatory?
While writing this question I found out another question about AWS Amplify and now I'm even more confused. Is AWS Amplify what I would want to use?
You can write a web app using the AWS SDK for JavaScript that invokes various AWS Services. You do NOT need to use AWS Amplify to create a web app.
A Web application that uses the AWS SDK for JavaScript uses creds like any other AWS app. Here is an AWS tutorial that shows how to use the AWS SDK for JavaScript to write a basic web app that invokes the AWS SQS service. It will hopefully point you in the right direction.
Creating an example messaging application
This topic covers Prerequisites and other information, such as creating the required AWS resources, you need to know to write a web app using the AWS SDK for JavaScript.
Also - the link you referenced was the JavaScript V2 DEV Guide. Its better to use the AWS JavaScript V3 DEV Guide.
I'm not familiar with AWS lambdas.
Does AWS provide swagger or anything similar to lambdas?
my use case doesn't require me to create rest endpoint to the lambdas. do I also need to play around with gateways as well?
I'm not looking for cli solutions: sam/aws-cli/serverless/...
Everything in AWS uses the same public API that AWS provides. How that's implemented depends on the service. The official SDKs/CLIs use that same API and abstract the implementation details for you, so I'd recommend sticking to those.
If you want to build your own tool to talk to the AWS APIs or more specifically Lambda, you can have a look at the official developer guide, which includes an API-Reference.
More specifically you're going to need these two actions:
CreateFunction
DeleteFunction
You should be aware, that you need to implement the Signature v4 process to sign your requests with your AWS credentials yourself in that case, which is non-trivial. This signing process is used to authenticate yourself to AWS or more specifically to Identity and Access Management.
The API-Reference doesn't directly list the API-endpoints, but you're going to have to use the one for lambda in the region you want to create/delete your functions in, e.g. https://lambda.eu-central-1.amazonaws.com, where eu-central-1 would be your region. For a full list of the service endpoints for Lambda take a look at this documentation.
I'd really recommend you stick to one of the official SDKs/CLIs - this will make your life much easier.
I'm using the following upload component:
ember-file-upload
with Ember (obviously) which has S3 support but all example of signatures require a separate server. As my project is server-less and uses lambda/api gateway, I would like to create a lambda to do the job. I've searched everywhere but can't find a working example or clear enough information that would allow me to port it. Has anyone been successful in doing this?
There are lots of insecure examples with secrets on the client but the uploads must be secure for this project and are therefore unacceptable.
This may not answer your question directly but I think this is strongly related and may help you anyway: If you are using AWS Cognito to authorize your users before uploading content to S3, you could grant that Cognito user the permission to upload content to S3 directly without using presigned URLs. I just googled a bit and found a nice article describing exactly my thoughts: http://engineering.hipolabs.com/serverless-file-upload-with-aws-cognito-and-s3/
I haven't been able to find the answer to this question in the Amazon DynamoDB documentation, so my apologies for asking such a basic question here:
Can I access DynamoDB from my own web server, or do I need to use an EC2 instance?
Other than the obvious higher latency, are there any security or performance considerations when using my own server?
You can use Amazon DynamoDB without restrictions from about everywhere - a nice and helpful demonstration are the AWS Toolkits for Eclipse and Visual Studio for example, which allow you to create tables, insert and edit data, initiate table scans, and more straight from your local development environment (see the introductory post AWS Toolkits for Eclipse and Visual Studio Now Support DynamoDB).
Other than the obvious higher latency, are there any security or
performance considerations when using my own server?
Not really, other than facilitating SSL via the HTTPS endpoint, if your use case requires respective security.
In case you are not using it already, you should check out AWS Identity and Access Management (IAM) as well, which is highly recommended to securely control access to AWS services and resources for your users (i.e. your web server here), rather than simply using your main AWS account credentials.
Depending on your server location, you might want to select an appropriate lower latency endpoint eventually - the currently available ones are listed in Regions and Endpoints, section Amazon DynamoDB.