API gateway how to pass AWS IAM authorization from rest client

Question

I am trying to test authenticated API gateway endpoint from rest client. How to I generate/set the "AWS_IAM" authorization headers when making the request ?

Answer 1

You can use Cognito with a "public" pool id, then attach role to the Cognito pool id, the role being accessing your API GATEWAY

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'REGION:YOUR_POOL_ID',
});

Use AWS STS to get temporary credentials with limited privileges. After that you can use API Gateway with AWS_IAM authentication

The generated SDK accepts AMI credentials, you have to initiate the client with the one you got from STS:

var apigClient = apigClientFactory.newClient({
    accessKey: 'ACCESS_KEY',
    secretKey: 'SECRET_KEY',
    sessionToken: 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
    region: 'eu-west-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
});

NB: Put strictly minimum roles on your pool, that is a publicly available id, every body can use it to get a temporary or a fixed (to track users across devices) user_/app_ id.

Update April 2016: For Christine comment's: Documentation on how to use STS.

TL;DR: Basically after your Identity provider calls you back (Google, in my case), you will have a Token (OpenID, in my case), just feed it to STS:

AWS.config.credentials = new AWS.WebIdentityCredentials({
  RoleArn: 'arn:aws:iam::<AWS_ACCOUNT_ID>:role/<WEB_IDENTITY_ROLE_NAME>',
  ProviderId: 'graph.facebook.com|www.amazon.com', // Omit this for Google
  WebIdentityToken: ACCESS_TOKEN
});

Answer 2

You'd have to replicate API Gateway AWS v4 request signature logic to be able to do that. Ideally you should look at the the generated Javascript/Java SDK for your API to get an idea on how these request signatures get calculated. I suggest you turn the authentication off for your testing requests.