Is it at all possible to invoke an AWS service whose endpoint is in a region other than the one hosting my account?
For instance, my account is in us-west-1 and SES has been removed from that region. Can I somehow invoke the SES service from us-west-2? When creating a request to send an email I cannot seem to find a way to set the service endpoint region that does not also set the signing region.
Apparently, yes. The class EndpointConfiguration allows that.
http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/client/builder/AwsClientBuilder.EndpointConfiguration.html
Related
I'm using spring-cloud-aws-messaging to be able to easily confirm SNS topic subscription and receive notification through an HTTPS endpoint in my service.
#NotificationSubscriptionMapping
public void confirmSubscription(final NotificationStatus status) {}
For that specific process, aws credentials shouldn't be necessary, the flow is validated through a certificate validation between SNS request to my service and a call to the provided URL matching the certificate's signature, but still when SNS tries to confirm the subscription I get:
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY))
Is there a way to go around it?
Here we can find an example of someone that could do it using the .NET aws-sdk directly:
Use AWS SDK without credentials to confirm a SNS subscription --> No RegionEndpoint or ServiceURL configured
So it's probably possible to do it in java with the SDK directly but I still wonder if with spring-cloud-aws it's possible.
I appreciate a lot any help,
Cheers!
I know close to nothing about AWS. But I want to use AWS SDK in my Springboot project to send email via SES. I am to send the emails as a delegate user, and all I have is the Identity user's ARN. I tried the code available on the AWS website and set X-SES-SOURCE-ARN header as the identity user's ARN, and I am getting Unable to load AWS credentials from any provider in the chain error. Do I need to add any sort of ACCESS-KEY-ID and SECRET-KEY?
You might be confusing IAM identity with email/domain identities.
IAM handles authorization for the API call (AWS sigv4).
SES identities are internal to the service and just represent an authorized sending email address or domain (one that has performed verification steps).
To make a successful call you need to have both of those:
An IAM principal with authorization for ses:SendEmail in the account.
A verified email or domain identity in the account that is passed as the source ARN in your API call.
If you are using sending authorization policies then things require a little more setup but is essentially the same.
You can add the accessKey and secretKey on a file named AwsCredentials.properties. Next, when you configure the AWS SES Client, you load that file, as in the following example with Cognito.
public AWSCognitoIdentityProvider getAmazonCognitoIdentityClient() {
ClasspathPropertiesFileCredentialsProvider propertiesFileCredentialsProvider = new ClasspathPropertiesFileCredentialsProvider();
return AWSCognitoIdentityProviderClientBuilder.standard().withCredentials(propertiesFileCredentialsProvider)
.withRegion(props.getRegion()).build();
}
Using this code snippet, I can get a region list in my AWS account, but why do I have to enter a region name to get region list (In this case "us-east-1").
AWSCredentials credentials = new BasicAWSCredentials("accessKey", "secretKey");
AWSCredentialsProvider credentialsProvider=new AWSStaticCredentialsProvider(credentials);
AmazonEC2 ec2 = AmazonEC2ClientBuilder.standard()
.withCredentials(credentialsProvider)
.withRegion("us-east-1")
.build();
DescribeRegionsResult regions_response = ec2.describeRegions();
for(Region region : regions_response.getRegions()) {
System.out.println(region.getRegionName());
}
}
From AWS service endpoints - AWS General Reference:
Most Amazon Web Services offer a Regional endpoint that you can use to make your requests. The general syntax of a Regional endpoint is as follows.
protocol://service-code.region-code.amazonaws.com
For example, https://dynamodb.us-west-2.amazonaws.com is the endpoint for the Amazon DynamoDB service in the US West (Oregon) Region.
Your code is calling the Amazon EC2 service. To do so, the API call must be sent to an EC2 endpoint in a Region. The EC2 service will respond to requests made to that endpoint.
The fact that your particular API call is asking for a list of Regions does not make it any different to other API calls, such as requests to Stop or Start instances. The request must still be sent to an API endpoint. All regions will respond with the same list of regions.
So, the simple answer is: The Region identifier helps determine where to send the request.
On my current project we configured forwarding of Cloudwatch alarms to Slack channel. For that we use AWS SNS topic + API Gateway which is subscribed on that topic and forwarded alarms to Slack webhook.
The issue I'm trying to solve - currently the REST resource of the mentioned API Gateway is public (it don't require any auth and is available from Internet). How can I configure API Gateway that it could be available only as SNS subscription endpoint?
You need to create the API gateway with the Endpoint type : Private
And you need to create a VPC end point for SNS to access the end point internally.
More Info: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-vpc-endpoint-policies.html
We are working on SNS to HTTPS API integration between 2 teams. So, another team has SNS topic configured in us-east-1 region and our HTTPS API is running in us-west-2 region.
Just wanted to check if we can process SNS messages generated from us-east-1 and a different AWS account in us-west-2 region.
I read somewhere (can't remember the blog post link now), that if SNS messages are generated in us-east-1, they have to be processed in us-east-1 only. If we try to process in us-east-2, message signature verification will fail and throws an invalid TopicArn exception.
Please guide if this is correct.
So, another team has SNS topic configured in us-east-1 region and our HTTPS API is running in us-west-2 region.
When SNS is publishing to an HTTPS endpoint, the endpoint can be anywhere on the Internet. It doesn't even need to be in AWS at all. As long as your HTTPS endpoint is accessible from the Internet and has a valid SSL certificate (matches the hostname, not expired, signed by an accredited certificate authority, not self-signed), that is all SNS will require.
The destination region and destination AWS account lose all meaningfulness in such a setup. There is no constraint, here.
If the topic is in us-east-1 then all requests sent to SNS must be sent to the us-east-1 endpoint (e.g. Subscribe or Publish) but even then, they can be sent from anywhere on the Internet.
SNS can be configured across regions via HTTPS endpoint of lambda by attaching the API Gateway to that lambda and copying the HTTPS URL of same.
After getting the HTTPS URL of the lambda may be whichever region. It may be that you just add in SNS service subscription part in SNS service by creating the subscription in the service.
After that, just publish a message. You will see entries in your Cloudwatch logs if you print an event in lambda. You will see something like "Subscribe URL". Copy that URL and paste it in the SNS service where you will be able to see "Pending on Subscription". This will work with latest amazon SNS service.
I tried and tested it to verify that this works.