I need to make a secure HTTP callout from Salesforce (using Apex) to AWS Lambda and I build my first version using AWS API Gateway. I realized I can get a client certificate from API Gateway (.crt) but this looks like it is only for AWS backend and is not meant to be for the HTTP request sent to API Gateway. What are my alternatives to establish a secure connection from outside AWS (Salesforce) to a Lambda function?
So far I've found this, which is a disappointing dead-end for now.
Like the link you posted says, API Gateway does not currently support MTLS. Other options for you to add security to the calls at the moment are:
IAM permissions, and here.
API Gateway custom authorizers.
Cognito User Pools.
If you need a custom domain associated with the API Gateway:
Go to Route53 and add your domain (new Hosted Zone), if you haven't done it already.
On AWS Certificate Manager, import or request a certificat for the custom domain you intend to use in your API Gateway endpoints.
Open the API Gateway dashboard and go to "Custom Domain Names". Click "Create a custom domain name" and, in the option "ACM Certificate (region)", select the certificate you generated/imported in item 2 above.
That's it, now you should be able to trigger your Lambda functions using API Gateway from a secure connection (HTTPS). Please note that, if you do this, API Gateway will refuse connections over insecure HTTP protocol.
Related
If i make a POST request to API gateway endpoint (configured to handle POST calls), by using AWS console how can i identify which AWS service (lambda/fargate/etc) is configured as request handler for that endpoint.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-basic-concept.html
suggest For Integrations, choose Add integration.
But how can i find handlers/integration for an existing endpoint.
I am only able to identify Invoke URL and lambda service used as authenticator. OR do i need to manually check each Application load balancer ?
If you would like to add Integrate with ALB, you could select the HTTP in Integration Request > Integration Type and input the ALB DNS into Endpoint URL.
Check out this image: Integration Request
I've been wasting about 12 hours going in circles in what seems like this:
I am trying to just make a simple static landing page in lambda and hook the root of a domain to it.
The landing page works, but api gateway didn't because AWS doesn't seem to set permissions properly by default ("internal server error" with API gateway and lambda on AWS) but now the gateway link works.
So the next steps were the following:
add a custom domain name in the api gateway
add the api mapping in the custom domain name
in route 53, create a wildcard certificate with *.domain.com and domain.com
create an A record that points to the api gateway with domain.com
create a CNAME record that points to the A record
and I get an error 403 with absolutely nothing in the log. I log both 'default' and '$default' stages in the api gateway.
I read https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-403-error-lambda-authorizer/ which is all about looking at what's in the logs...
and I find the doc is both everywhere and nowhere because it's built as chunks of 'do this' and 'do that' without ever painting a whole picture of how each piece is connected to the other, or any graph with the hierarchy of services, etc. Reminds me of code that works only when you follow the example documented and breaks otherwise.
I'm sure I'm doing something wrong, but given the lack of logs and lack of cohesive documentation, I have no idea about the problem.
Not to mention that http doesn't even connect, just https.
Can anyone outline the steps needed to achieve this? essentially: [http|https]://(www).domain.com -> one lambda function
You cannot use API Gateway for an HTTP request; it only supports HTTPS.
From the Amazon API Gateway FAQs (emphasis mine):
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.
You can use CloudFront to automatically redirect HTTP to HTTPS. How do I set up API Gateway with my own CloudFront distribution? provides a pretty simple walkthrough of connecting an API Gateway to CloudFront (you can skip the API Gateway portion and use the one you created). The important thing you'll need to do that is not in that document is to select Redirect HTTP to HTTPS.
If you truly need HTTP traffic you're probably going to need to go with an ALB.
I am building application deployed to Appsync in AWS. And appsync doesn't support custom domain so that I have to choose a workaround.
I have read some doc and all of them mention to use cloudfront. I wonder whether I can use API gateways instead of cloudfront. For me, I don't want to use any CDN for my backend (even I know I can disable cache).
And I'd like to support subscription over websocket. Does it work with api gateway?
We can setup proxy from Api Gateway both HTTP and REST. Considering this is just proxy and no customizations, we can go with cheaper option of HTTP API.
Here is the documentation.
Step by Step:
Create a HTTP Api
Add a route for /{proxy+} with ANY method.
Add an integration to ANY method pointing to appsync api suffixing with {proxy} https://kkkkabcd1efgxyzeabcdefg4.appsync-api.us-east-1.amazonaws.com/{proxy}
Route53 to point to Api Gateway.
My client has an already developed (and frozen) web service which is being secured with self signed certificate. I have configured AWS API gateway to get rid of CORS issue. When I try to call any endpoint of the web service via AWS API gateway, I find HTTP 500 Internal Server error. Until the client web service is made secured with self signed certificate, HTTP based endpoints were accessible via AWS API gateway.
What are ways to still call the web service endpoints?
API Gateway will fail on self signed certificates for http(s) backend integrations.
If you use the test functionality on the API GW you will see a error in the logs that it gives on the right about either a SSL Engine Problem or Bad Certificate.
If your backend is already in AWS and fronted by a load balancer you can think of using free certificates from ACM.
Or you can consider using a NLB that the API gateway can talk to, using the NLB you can have your backend apis' in a VPC and have no public access and still have API GW talk to them.
Edit: For some reason I am not able to link correctly. Here are some links on ACM and NLB.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
I am looking to build an API orchestration layer using API Gateway and Lambda.
For my basic use case I want to have a Python script in Lambda that will just relay the request received at the API Gateway from the client (mobile app in this case) and call an external HTTPS service as the backend.
My question is:
Our mobile client uses client certificates to talk to our HTTPS endpoint today.
How do I go about intercepting that client certificate in my new API Gateway + Lambda setup?
Responded here. Copying the answer below for StackOverflow audience-
===
Unfortunately, API Gateway does not support client certificate validation from clients to API Gateway at the moment. We do, however, support client side SSL certificates for authentication by the backends.
Depending on your use-case, you can use various other options in API Gateway to authenticate/authorize your calls from the mobile client; eg API Keys, Custom Authorizers etc. The request from API Gateway to Lambda should already be encrypted.
Hope that helps,
Ritisha.