Sign API Gateway Request With AWS SDK - amazon-web-services

When you download an auto-generated API client for Java or JavaScript they reference base helper components. Is a version of these available for Xamarin, or is there any way to make or sign requests to the API Gateway using the Xamarin AWS SDK? The only thing I see is the 'test' method in the AWSSDK.APIGateway client, which seems intended for management operations.
My API requires authentication, I'm using Cognito to authenticate users.
UPDATE:
So I didn't realize at first that it was possible to call my Lambda functions directly using the AWS SDK and I don't need to use the API Gateway at all.

the auto-generated API clients are only available for iOS, Android, and JavaScript at this time. We have received requests for multiple other languages, which are on our backlog.
The API Gateway client in all of the traditional AWS SDKs is only built for the API Gateway control APIs, which are used to configure and deploy your RestApis.
You'll have to write/extend your own signer. This may be helpful: https://github.com/awslabs/aws-sdk-xamarin/blob/master/AWS.XamarinSDK/AWSSDK_Core/Amazon.Runtime/Pipeline/Handlers/Signer.cs
or the public signature docs: http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

Related

How to give access to API behing AWS Api Gateway from our SDK

we use Aws Api Gateway to protect our apis.
We want to create an sdk for developers. The idea is to have In app purchase in their apps and call our apis in order to start payment.
We are trying to have a way to connect machine from machine. The first machine will be an sdk integrated in Android games and the second will be our back end protected by the api gateway.
The sdk should have a the authorization to consume the api.
Today we don't know how to do it, even after discussing with many architects.
The sdk is not going to have user and password, because it is not a user, so no way to generate the classic access token.
How could we achieve this use case ?
Thanks
The sdk should have a the authorization to consume the api. Today we don't know how to do it, even after discussing with many architects.
There are three possible ways to have a protected API Gateway. AWS Cognito and AWS Lambda. The third option, API Keys, is a little bit different than the previous two.
With Cognito, you create user pools and API Gateway automatically handles authorization when a request is received.
With Lambda, you create your own custom authorization logic.
I generally prefer the Lambda approach due to the ease of use but it depends on the use-case.
With the API Key option, you create API Keys for specific routes and API Gateway checks them through the request headers. I think any use-case that requires this can be handled with the Lambda option as well.
What you are describing doesn't sound difficult to achieve.
You will generate an API key and you will give them to the developers that will use your API.
In your SDK, you can accept the API key as an initialization parameter and provide it in the requests to API Gateway.

Implementing a backend-less auth mechansim

I would like to implement an SPA which bounces the user to a login page, if not already logged in. It would then able to make a call to an API (not necessarily an API Gateway) hosted within an AWS VPC.
As I currently understand it, this would involve a front-end framework library authenticating the user via OAuth 2.0. It would then need to retrieve a token (allowed because of the auth validation) to call an API Gateway which provides access to the API hosted within the VPC.
Given this concept, is this architecture possible without the use of a Lambda?
If you are willing to use API Gateway in front of your API:
Yes, this architecture is possible without using a Lambda. API Gateway has integration with AWS Cognito User Pools for authorizing requests. You can find the AWS docs on how to set this up.
If you don't have an AWS API gateway in front of your API:
In this case you will have to implement one of the authentication and authorization flows provided by OAuth 2.0 standard. In this case, whether you would want to use a Lambda or not, is up to you and your back-end architecture.

AWS ApiGatewayV2 HTTP API with custom authorization lambda

Is it possible to use a custom authorization lambda with ApiGatewayV2 for a HTTP API?
I know it's supported for a WebSocket API but there seems to only be support for AWS' own JWT authorizer for HTTP APIs. Does anyone know of a smart way to solve this?
The reason I'm asking is I need to validate third party tokens that do not fully follow OAuth2 standards (and therefore cannot use the out of the box JWT authorizer).
It is possible to have a custom authorizer lambda with an AWS ApiGatewayV2 HTTP API.
For me at the moment (still early in my development) I actually have both a V2 WEBSOCKET and a V2 HTTP API using the same lambda for authentication, and both APIs using another lambda for the route handling -- yes, only 2 lambdas handling both APIs.
It is a bit of a mess because each API type has different event formats.
I created the WEBSOCKET API first and got the authorization lambda for it working first using OAUTH "client_credentials" and JWTs.
Then I added the HTTP API -- but it did require specifically declaring (I use terraform) the $default stage, a deployment, an integration, and a route with a $default route_key. The route is where the "CUSTOM" authorizer gets tied in. The point here is that using the so-called "quick create" V2 HTTP api does not appear to allow a custom authorizer.
Edit
This is now a feature added to HTTP API Gateways, more can be found in the Introducing IAM and Lambda authorizers for Amazon API Gateway HTTP APIs announcement.
Original
Unfortunately Lambda custom authorizers have not been migrated to be supported by HTTP API Gateways yet.
To build RESTful APIs, you can use either HTTP APIs or REST APIs from API Gateway. REST APIs offer a wide variety of features for building and managing RESTful APIs. HTTP APIs are up to 71% cheaper compared to REST APIs, but offer only API proxy functionality. HTTP APIs are optimized for performance—they offer the core functionality of API Gateway at a lower price.
The above quote from the announcement indicates that this is a light weight version of API Gateway at the moment.

Is AWS Amplify the only way to make SDK calls to Cognito?

I'm trying to integrate Cognito Authorizers into an existing application that is using API Gateway to authorize requests.
The documentation insists on using AWS Amplify to make these calls, but I'm not sure that this fits in well with the existing architecture since Amplify seems to have its own way of making API requests, and I'm worried that it would mandate having to change all of the existing API requests...
So my question is if there are more readily integratable solutions to this problem, or if my concerns are unfounded.
There are several SDK's that can be used with Cognito.
You can use the AWS js SDK to make low level API calls but you will lose the benefits that the Cognito Client Side SDKS provide like session management, caching of tokens and SRP calculations.
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html
You can also use the Cognito Identity SDK which Amplify uses under the hood:
https://www.npmjs.com/package/amazon-cognito-identity-js
The Auth SDK if you are going to be integrating with the OAuth endpoints, which is now deprecated but can still be used or referenced, Amplify also uses or has similar functionality.
https://github.com/amazon-archives/amazon-cognito-auth-js
And then finally Amplify which is the go to, feature rich client side SDK which for the majority of usecases should be the SDK of choice in my opinion.

How to publish Amazon Lex Chatbot as webservice

I am able to create Amazon lex chat bot. I am also able to publish the same in Facebook messenger. Also I found sdk's for iOS and Android.
What I want is to publish lex bot as a webservice which can be called from any rest client, so that it can be integrated to any user interface with rest calls.
I heard of Javascript sdk's for publishing lex bots as service, but I am not able to find any proper documentation on this.
The lex-runtime is accessible from the Javascript SDKs. AWS documentation is here: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/LexRuntime.html
The trickiest part is authentication. The recommendation from Amazon is usually to route your Lex requests through a Lambda function in front of an API gateway. An alternative is to have a Cognito unauthenticated role that has permissions to call Lex and then have the clients call it directly.
The getting started guide may be of use if you are unfamiliar with calling AWS from the browser: http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/getting-started-browser.html
You can use AWS API Gateway which will get the requests from your Rest Client and forward it to Lex.
Your architecture will be like:
Chat client <==> AWS API Gateway <==> AWS Lex
Check this link for details.