Menu
I have an API Gateway that has two endpoints:
NONE. Delegates to a lambda named fooLambda.AWS_IAM.The client is supposed to call endpoint 1 to obtain credentials from the fooLambda so that they can successfully call endpoint 2.
I am using the AWS Node.js sdk and the aws4 npm module for signing aws requests. Here is some pseudocode for my fooLambda:
// get the role using this...
STS.assumeRole({
RoleArn: 'arn of my role that can call endpoint 2',
RoleSessionName: 'foobar',
})
// parse the sts creds like this....
const stsCredentials = STS.credentialsFrom(assumeRoleResponse)
// get a collection of signed headers like so
const signedHeaders = aws4.sign({
service: 'execute-api',
region: process.env.REGION,
}, {
secretAccessKey: stsCredentials.secretAccessKey,
accessKeyId: stsCredentials.accessKeyId,
sessionToken: stsCredentials.sessionToken,
}).headers;
// return the following headers to the client
return {
authorizationHeader: signedHeaders['Authorization'],
stsSecurityToken: signedHeaders['X-Amz-Security-Token'],
}
Now my intent is that the client can attach these two headers to their requests so that they can successfully call endpoint 2 but I get an error saying that the security token is invalid but I'm not sure why.
UPDATE: When I use Postman's AWS Signature Authorization type and supply my accessKey, secretKey, aws region, service name, and session token parameters - it creates the authorization headers and the request to endpoint 2 is successful!
After inspecting the postman-generated authorization headers, it seems that the Authorization header has a different signature. So now the problem is: "How is postman generating a correct authorization header but aws4 isn't?"
639
When using the aws4.sign function, you have to provide the path that the request will have. Otherwise there is a mismatch between the signed request and the actual request that is made and AWS will barf.
133
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
