Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I call an AWS_IAM authorized API Gateway endpoint from AWS Lambda who's execution role has permission to do so?

Tags:

amazon-web-services

aws-lambda

aws-api-gateway

signing

I'm wanting to call an AWS API Gateway endpoint which has Authorization set to AWS_IAM from an executing AWS Lambda who's execution role has permission to execute that API Gateway.

enter image description here

Is there anyway for me to sign the HTTPS request to API Gateway using the current execution role of my Lambda?

Edit:

Looking at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html, I may be able to call AssumeRole using the SDK to assume the role which has permissions to execute Api Gateway, and then extract the secret key which can be used to sign the requests.

like image 788
CamHart Avatar asked Dec 20 '16 21:12

CamHart

People also ask

Does API gateway pass authorization header to Lambda?

For a Lambda authorizer of the REQUEST type, API Gateway passes request parameters to the authorizer Lambda function as part of the event object. The request parameters include headers, path parameters, query string parameters, stage variables, and some of request context variables.

1 Answers

As @Abhigna Nagaraja pointed out, you can retrieve the credentials for lambda's execution with the environment variables.

If you are using Python, you can use the aws_requests_auth library to sign the request. You can also check the documentation for a complete example on how to sign the request.

Here's a snippet on how to sign a request from a lambda:

import json
import requests
import os
from aws_requests_auth.aws_auth import AWSRequestsAuth


def lambda_handler(event, context):
    api_id = 'XXXXXXXXX'  # Replace with your API Gateway Id
    api_url = 'https://{}.execute-api.eu-west-1.amazonaws.com/dev/hello'.format(api_id)

    aws_access_key_id = os.environ['AWS_ACCESS_KEY_ID']
    aws_secret_access_key = os.environ['AWS_SECRET_ACCESS_KEY']
    aws_session_token = os.environ['AWS_SESSION_TOKEN']

    auth = AWSRequestsAuth(aws_access_key=aws_access_key_id,
                           aws_secret_access_key=aws_secret_access_key,
                           aws_token=aws_session_token,
                           aws_host='{}.execute-api.eu-west-1.amazonaws.com'.format(api_id),
                           aws_region='eu-west-1',
                           aws_service='execute-api')

    response = requests.get(api_url, auth=auth)
    return {
        'statusCode': response.status_code,
        'body': json.dumps(response.json())
    }

Hope it helps.

like image 89
Antoine Delia Avatar answered Sep 29 '22 07:09

Antoine Delia
Sign in to Comment

Related questions

How to authenticate API Gateway calls with Facebook?
What are the most restrictive aws resource name limitations (e.g. characters and length)?
Terraform Definition of Cognito Identity Pool Auth/Unauth Roles
How to restore an expired token [AWS Cognito]?
AWS Glue write parquet with partitions
AWS IAM Cloudformation YAML template errror: 'null' values are not allowed
SQSListener with ThreadpoolExecutor
User Pool allows two users with same email despite configuration
AWS Lambda Sam can't find docker
How to select today's date as default date in QuickSight Controls? [closed]
Unable to upload artifact None referenced by CodeUri parameter of HelloWorldFunction resource
AWS CodeBuild failed CLIENT_ERROR: authorization failed for primary source and source version
Can someone elaborate on these basic concepts of hosting via Amazon Web Services?
Writing a distributed queue in Amazon's DynamoDB
How to install Oracle Java 7 in an Amazon Elastic Beanstalk instance
Setting up domain and email addresses using AWS
Does SQS really send multiple S3 PUT object records per message?
Cost of renaming a folder in AWS S3 bucket
AWS Lambda triggered by PUT to s3 bucket in separate account
Can't access SQS message attributes using boto3

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!