Is it possible for the Execution role in the API Gateway AWS Service integration config to inherit policy permissions from the running user.
Currently we are using a custom authorizer for API auth which as its output returns a policy document with statementOne.Action = 'execute-api:Invoke'. Is it possible to restrict or increase the permissions a API has when integrating API Gateway with other AWS services such as S3.
For example is it possible to have a custom authorizer with an API Gateway S3 proxy and set conditional IAM policy to only allow the userId (set via the principalId) to get S3 objects that are prefixed with their userId???
See execution role in this image from the AWS docs taken from here;
Yes, it is possible to pass through the IAM identity from the invoking user. You can do this by filling in arn:aws:iam::*:user/* as execution role.
More details can be found in the AWS docs
Related
Is there a way that we can pass session tags when lambda assumes its execution role behind the scenes for us? My requirement is that I'm signing IAM authenticated API gateway request
inside my lambda function to call my another service hosted in API gateway. The problem is that I need to assume another role because I need session tags with the credentials I sign the request and the reasons for that is I'm using principal tags inside my IAM policy to further secure the access to invoke the API.
On AWS Authentication i.e at method execution either we can have authentication on the basis of AWS IAM or custom one i.e lambda authorizer.
How can we have both?
I'm not clear on how to send credentials and IAM access to an API gateway. This seems clear:
There is the tutorial on AWS but this is not the way I wanted to access my API.
API Gateway example
As most would know, you put your AWS Key and Secret key in a configuration file that lives in .AWS on the userspace of the user but if you are using a website, for example, you won't have that. Is the idea that anytime a user access the API that you put that user in an anonymous group that has access to the .credentials file?
You are describing IAM authentication for API Gateways. For your of your web app to generate IAM credentials I would recommend using a Cognito Identity Pool Authenticated Role. The Cognito Identity Pool Authenticated Role Exchanges a JWT for the AWS IAM credentialsthat are used in API calls. Your users will first authenticate against the identity pool. The identity pool even allows for unauthenticated users that are using your registered app to generate credentials with permissions which you specify. This guide will show you how to generate these credentials in your code.
Alternatively you can use API Gateway Identity Pool Authorizer or API Gateway Lambda Authorizer to secure your API.
I have created a REST API using lambda and API gateway.
I want to give access for this API to another lambda function which is running in another AWS account.
I was thinking to create IAM based authorisation for this API. But I am not sure if this cross-AWS account based IAM authorisation is feasible?
Any better suggestions?
You can assume a role in the target account and then invoke the lambda directly using the temporary credentials. This method does not require an integration with API gateway.
You can also use IAM Authentication from anywhere if the API is publicly available. You will have to store the designated credentials.
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/
When using API Gateway to proxy AWS services such as S3 works great.
However it would seem that security is an afterthought. The execution role that is used for AWS Service integration seems to leave open the integrated service when using a customer authorizer.
The Custom Authorizer in API Gateway returns a principalId (e.g. a userId) and an IAM policy document. How could one build an IAM policy for the execution role of the service integration which would require for example the userId/principalId to be in the path of an S3 object.
I.e. using a custom authorizer + S3 integration how do you secure object access to only a particular key space where the principalId is part of an object tag or path?
http://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html or http://docs.aws.amazon.com/AmazonCloudWatch/latest/events/policy-keys-cwe.html
I was having the same problem. Here is how I solved it with the path.
Assume user1 need to access their data and their space is
domain/user1/object1
domain/user1/object2
In the custom Authorizer you can return policy that the user can access only domain/user1/*. You can use any pattern you want and organize the storage to whatever namespace you want. If you want to expand namespace for multiple users you can do access to
domain/user1/*
domain/managers/*
And APIGateway will take care of the rest. If the user tries to access anything other than the above URL paths, the user will get 403 forbidden.
Followed the documentation from AWS and works perfectly,
http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
In Addition, if you want authentication I would recommend CloudFront signed URL and Cognito.