Is there any AWS ElasticSearch Client SDK for Java, which signs the requests with AWS credentials? I saw this, but I guess its for managing AWS Elasticsearch Service.
You can create AWS client for Elasticsearch in the following way:
AwsClientBuilder.withCredentials(AWSCredentialsProvider) for example: AWSElasticsearchClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCredentials)).build();
How I do this is by first creating AWSBasicSessionCredential instance by providing awsAccessKey, awsSecretKey, and sessionToken information and then passing this instance in the above code to build the client instance. However, I do this for test programming the clients. Its not advised to create a client this way though. For example, one secure way would be using federated identification to generate a temporary security token and then use that to assume a role through AWS' AssumeRoleRequest, receive its response in the form of AssumeRoleResult and then retrieve credential information from the assumeRoleResult response received above. Use this credential information in generating AWSCredential.
Source of generating AWS Elasticsearch client.
Related
I know close to nothing about AWS. But I want to use AWS SDK in my Springboot project to send email via SES. I am to send the emails as a delegate user, and all I have is the Identity user's ARN. I tried the code available on the AWS website and set X-SES-SOURCE-ARN header as the identity user's ARN, and I am getting Unable to load AWS credentials from any provider in the chain error. Do I need to add any sort of ACCESS-KEY-ID and SECRET-KEY?
You might be confusing IAM identity with email/domain identities.
IAM handles authorization for the API call (AWS sigv4).
SES identities are internal to the service and just represent an authorized sending email address or domain (one that has performed verification steps).
To make a successful call you need to have both of those:
An IAM principal with authorization for ses:SendEmail in the account.
A verified email or domain identity in the account that is passed as the source ARN in your API call.
If you are using sending authorization policies then things require a little more setup but is essentially the same.
You can add the accessKey and secretKey on a file named AwsCredentials.properties. Next, when you configure the AWS SES Client, you load that file, as in the following example with Cognito.
public AWSCognitoIdentityProvider getAmazonCognitoIdentityClient() {
ClasspathPropertiesFileCredentialsProvider propertiesFileCredentialsProvider = new ClasspathPropertiesFileCredentialsProvider();
return AWSCognitoIdentityProviderClientBuilder.standard().withCredentials(propertiesFileCredentialsProvider)
.withRegion(props.getRegion()).build();
}
Im very new to utilizing certs for authenticating API calls and was looking for a means of replicating the behavior of keytool on my local machine for sending a post request to a web API, I have been provided a .pem x509 cert and a .key private key
Ive looked into aws cert manager but im not so sure if it would be able to provide the cert for a lambda job run
What tools would be appropriate for me to handle providing the cert to a lambda job in the aws ecosystem for authenticating a POST rest API call?
In general words, you describe configuration values, one critically kept secret, which the lambda requires. Put the configuration values into AWS Secrets Manager. Use the [https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html]
(GetSecretValue) SecretsManager API call to pull the secret from within your lambda. If your lambda runs frequently, cache the API key and secret in memory for later runs to cut down on API calls and runtime.
I need to get elements from AWS dynamoDB and thrid party https service and merge those results in AWS appSyn and send back the result as graphQL response
Third party service which I am using, expects client side certificate. I am not finding proper AWS documents on how to pass agent using AWS appSync resolver.
I am also not finding documents to store certificate as secret in AWS secret manager.
Is there anyone faced similar problem? Or do you guys have any solution to it?
It depends on the size of your certificate - Secrets for AWS Secrets Manager have various limits such as length in bytes (7168 bytes) or characters (4096) see more here:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
But otherwise you should be able to store your certificate using AWS Secrets Manager.
See number item 3 in the following link: https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
Using HTTP Resolvers (or even Lambda Resolvers) you will be able to make http calls to AWS Secrets Manager to obtain the secret.
See links:
https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html
https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-http-resolvers.html
Adding to Ashwin's answer, According to documentation, HTTP resolver supports only public endpoint at this point and does not seem to have ability to pass a certificate for app to app call
I am developing a react native mobile app and using server side API for managing user related data (backend). Currently I am using AWS cognito for supporting user signup/signin and all the user details are seems to be saved in AWS user pool.
I want to store auth token and user details on my server side, so that I can use this details to fetch user related data. So, I want the following approach to implement
Request:
Mobile App UI -> Server API (backend) -> AWS cognito
Response:
AWS cognito -> Server API (backend) -> Mobile App UI
Is this possible? If not what would be the best approach.
Quick Response
If you are running Springboot in an EC2 instance you can asign a role to that EC2 instance with enought permissions and get data directly from your server app as an Administrator, i mean, using the SDK you can call AWS API requests just with that role, so you can retrieve the user data for all your users.
Other options
I think AWs has some services that make it easy to have this approach.
You can use Amazon Cognito Identity Provider to get credentials for an user and directly in the app you can call for example dynamoDB queries (etc) or you can do AWS API Gateway requests that are executed if the requests have valid credentials, this way you can call Lambdas and make some proccesing. If you need more details you should send more info to know the target of your app and make a better recommendation. Regards,
I am creating a backend service which will be getting requests from an Android application regarding creating of some service requests. These service requests will contain details about the the service items and also some images related to the request. We want to use S3 for storing the images directly from the android application and getting the key of the image saved through an API call on the backend service.
The problem with this approach is the authorization of the mobile application to access the shared bucket.
If we save the access key of the shared bucket in the application, this code can be decompiled and the secret will be compromised.
Another option is to create an API on the backend service which will give back the authorization key to the mobile application before it needs to put the image to S3. In this way we can also rotate the secrets periodically.
Which of these approach is better in terms of security? Is there any other approach which I am missing? It sounds like a standard access practice of using S3 for saving files, so there must be something for this particular scenario.
You don't need to invent an API to do this - AWS provides its STS service for just this use case.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
To request temporary security credentials, you can use the AWS STS API actions.
To call the APIs, you can use one of the AWS SDKs, which are available
for a variety of programming languages and environments, including
Java, .NET, Python, Ruby, Android, and iOS. The SDKs take care of
tasks such as cryptographically signing your requests, retrying
requests if necessary, and handling error responses. You can also use
the AWS STS Query API, which is described in the AWS Security Token
Service API Reference. Finally, two command line tools support the AWS
STS commands: the AWS Command Line Interface, and the AWS Tools for
Windows PowerShell.
The AWS STS API actions return temporary security credentials that
consist of an access key and a session token. The access key consists
of an access key ID and a secret key. Users (or an application that
the user runs) can use these credentials to access your resources.
When the credentials are created, they are associated with an IAM
access control policy that limits what the user can do when using the
credentials. For more information, see Using Temporary Security
Credentials to Request Access to AWS Resources.