More interesting and useful API Gateway integration into AWS Services - amazon-web-services

There is instructions on how to integrate between API Gateway and SNS here but this is a bit of a toy example.
I want to know how I can subscribe to a topic via API Gateway -> SNS Integration.
And to this purpose what I'm looking is general documentation on doing this as I assume it is possible. If you can ListTopics (which the example indicates) surely you can do other things...
Edit: So I now know that when I do an integration into SNS it sends the following to SNS: https://sns.eu-west-1.amazonaws.com/?Action=CreateTopic
So that's a good start as that is how to call SNS to create a topic.
So now the question is how to I parameterise this?
I have also figured out that I can do from post to the SNS endpoint and thus include my parameters. However, the I get a signature not present error...

Related

How to send data from slack to lambda?

What : I am trying to implement Codepipline manual approval slack notification.
I was reading this implementation https://aws.amazon.com/blogs/devops/use-slack-chatops-to-deploy-your-code-how-to-integrate-your-pipeline-in-aws-codepipeline-with-your-slack-channel/
In this implementation:
Manual approval from codepipline will invoke lambda which will post manage to the slack channel for yes or no approval.
Now here is where I think I can implement in a better way, blog talks about sending the approval data to api gateway and then invoking lambda which will tell the codepiline to proceed with deploy stage or not.
Instead of api gateway I think we can use function url to invoke lambda.
I am wondering if someone has also faced a similar situation what pattern did they use?

Can an SNS trigger an API gateway? If yes, then how can the API gateway subscribe to the SNS?

I need to create an API gateway to consume messages from an SNS. I see that there are some questions on the same, like this, which hasn't been answered directly.
The main issue I face is : How to make the API gateway subscribe to the SNS?
SNS supports HTTP/HTTPS endpoint subscriptions. So I don't see a reason why you could not subscribe API gateway https endpoint to SNS this way.
As Marcin has mentioned, it can be done. Mentioning the steps I used:
Create SNS, and a lambda
Whatever the language is, make sure to print the event in the log. (For JavaScript, use console.log(event), and for Python use print(event) etc)
Create an API Gateway (REST API), select a "New API", and create it.
In the API create a POST method, select lambda, and make sure to use it as a proxy.
Copy the trigger HTTPS link
Add a HTTPS subscription in the SNS, and use the trigger link here.
The confirmation would be pending now.
Go to the lambda, inside it's monitoring section, go to cloud watch logs.
Inside the logs, you will find the event object printed. Inside it, look for SubscribeURL, along which the URL would be mentioned.
Copy this URL, and go back to the SNS. Select your subscription and use the "Confirm Subscription" option, and paste this link there.
The status should come as "Confirmed" now.

Subscribe AWS SNS to HTTP endpoint without confirmation?

I need to subscribe an AWS SNS topic to a HTTP endpoint that I do not control, but I am blocked by the anti-abuse measure in SNS that requires the subscribed endpoint to confirm the subscription. This would require modifying the web service.
Given that I don't have the ability to modify the web service, that is probably the end of this discussion. I will need to find another solution. But, I would like to explain my scenario in case there is a workaround:
The messages we are sending are logs.
It works like this:
log_source -> sns_topic
sns_topic -> log_endpoint*
log_endpoint* -> log_data_store
* means it is not controlled by us
AWS SNS is such a wonderful solution to our problem, it is a shame that we cannot leverage it because of this anti-abuse measure.
I believe we are stuck because we have no control with how AWS will form the magic confirmation URL, nor how the log_endpoint will process it.
If there is no workaround, perhaps there is an analogous AWS service that I could leverage?

Posting SNS messages to AWS_IAM authenticated Api Gateway endpoint

I've created SNS topic
I've created API Gateway endpoint that invokes Lambda function
I've created topic HTTPS subscription that points to API Gateway endpoint
Problem: everything works fine when AUTH=none, but when i enabled AUTH=AWS_IAM, neither subscription nor messages are delivered to my lambda. They also wont show up in Lambda OR Gateway cloudwatch logs as it's usually the case with authentication errors.
Questions:
What's the identity delivered by HTTPS endpoint to AWS_IAM so it doesn't allows it ( my first thought was to relay SNS posters token but it doesn't seem be the case )
I couldn't find any way to associate HTTPS endpoint with any identity, is there a way?
There are lots of information about delivering SNS to SQS or Gateway to SNS, but couldn't find any information about achieving what i try to do.
Is there any method to debug AWS_IAM authentication problems? Documentation i've seen advices to "check priviliges" which is something i've been doing for many hours but i have no more ideas.
I'd be glad to hear any ideas from you, thanks.
As you may have seen in the docs, SNS can only do Basic/Digest Auth http://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.html
There is a section in the docs about verifying the validity of the message but that is code you'd have to write yourself or lift from one of the SNS SDKs on the backend. There really isn't any way to get SNS to sign the request with AWS SigV4, unfortunately.
Why don't you let the Lambda function subscribe directly to the SNS topic (without going through API Gateway)?
That should be straightforward: https://docs.aws.amazon.com/sns/latest/dg/sns-lambda.html
Here is the complete link which will help you in solving your authentication problem. https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/
If it's an "Check privileges" issue, then your IAM user doesn't have any sufficient access to the resources to make any changes.

AWS SNS pubs from the browser

I have a lambda function i'd like to invoke from the client-side. I was going to use the API Gateway, but it occurred to me that the queuing SNS affords might be handy.
After researching, it appears the only way to publish to SNS thru the Javsacript SDK is auth thru google/facebook or AWS Cognito. I'd like users (more specifically, events) to be able to push w/o auth'ng, so that's not an option.
The last option is hard-coding an AWS key. This is pretty explicitly discouraged in the docs, but after looking into it, it looks like I can create security provisions for a specific key and limit it to publishing only to one topic.
In other words, it'd ostensibly mimic a REST API, wouldn't it?
The only drawback I can think of is malicious spamming of the SNS. I know AWS API allows for rate-throttling, but couldn't find something similar on SNS.
So, 2 related question:
Is there a way to prevent malicious spam to an SNS topic?
are there other drawbacks to using SNS instead of an AWS API for invoking lambdas?
What queueing are you wanting to get from an SNS topic? I think you may be confusing SNS with SQS.
I see no advantage to using SNS->Lambda in this instance versus API->Lambda. I do however see several drawbacks to using SNS in this instance as it adds an unnecessary complication, as well as opens up unnecessary security risks.
You literally get no advantage to using SNS here, while you get several advantages to using API Gateway such as rate limiting and API key support. Not to mention that API Gateway endpoints are much easier to access from the browser than SNS topics. This is API Gateway's intended use, why try to hack together some method using SNS and hard coded AWS keys?