使用节点签署 AWS API 网关请求
[英]Signing AWS API Gateway Request using Node
问题描述
I've been searching for ways to restrict access to an API made for using a AWS Lambda function written on javascript.
我一直在寻找方法来限制对使用 JavaScript 编写的 AWS Lambda 函数的 API 的访问。
I've found documentation on how to use AWS Signature S4, but I still do not understand it.我找到了有关如何使用 AWS Signature S4 的文档,但我仍然不明白。
According to creating a signature , after applying the pseudocode I should get the signature to be placed on the header.根据创建签名,在应用伪代码后,我应该将签名放置在标题上。
I've found the following code that addresses this point:我发现以下代码解决了这一点:
// Example of signature generator var crypto = require("crypto-js"); function getSignatureKey(Crypto, key, dateStamp, regionName, serviceName) { var kDate = Crypto.HmacSHA256(dateStamp, "AWS4" + key); var kRegion = Crypto.HmacSHA256(regionName, kDate); var kService = Crypto.HmacSHA256(serviceName, kRegion); var kSigning = Crypto.HmacSHA256("aws4_request", kService); return kSigning; } console.log(getSignatureKey(crypto,'secretkey','date','us-east-2','iam'));
Here comes my first question, I do not know what should be the output of getSignatureKey()?这是我的第一个问题,我不知道 getSignatureKey() 的输出应该是什么? This is because on the documentation it is a very long string, while the output I got was {words:[x,x,x,x,x,x,x,x],sigBytes: 32},where the x are random numbers.这是因为在文档中它是一个很长的字符串,而我得到的输出是 {words:[x,x,x,x,x,x,x,x],sigBytes: 32},其中 x 是随机的数字。
Moreover, after getting the signature and filling the header for the request with the "authorization" field and others, how do I filter unproper requests?此外,在获取签名并使用“授权”字段和其他字段填充请求的标头后,如何过滤不正确的请求? Do I have to create a policy for the AWS API so it only allows signed requests?我是否必须为 AWS API 创建一个策略,以便它只允许签名的请求? Here I guess I should follow Signing Requests .在这里,我想我应该遵循Signing Requests 。
Thanks!谢谢!
1 个解决方案
解决方案1
-1 2017-10-21 04:09:52
Here is the simple implementation of Signed URL's. 这是签名URL的简单实现。 aws-cloudfront-sign package offers simpler implementation. aws-cloudfront-sign软件包提供了更简单的实现。
var cfsign = require('aws-cloudfront-sign');
var signingParams = {
keypairId: process.env.PUBLIC_KEY,
privateKeyString: process.env.PRIVATE_KEY,
// Optional - this can be used as an alternative to privateKeyString
privateKeyPath: '/path/to/private/key',
expireTime: 1426625464599
}
// Generating a signed URL
var signedUrl = cfsign.getSignedUrl(
'http://example.cloudfront.net/path/to/s3/object',
signingParams
);
https://aws.amazon.com/blogs/developer/creating-amazon-cloudfront-signed-urls-in-node-js/ https://aws.amazon.com/blogs/developer/creating-amazon-cloudfront-signed-urls-in-node-js/
Purpose of SignedURL is to serve Private Contents. SignedURL的目的是提供私有内容。
More details at, 更多详细信息,
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
Hope it helps. 希望能帮助到你。
解决方案2
-2 2017-10-21 04:42:45
The Amazon API uses signatures derived from your Access Keys to control access to Amazon Resources. Amazon API使用从您的访问密钥派生的签名来控制对Amazon资源的访问。 I think that you are confusing this with controlling access to API Gateway which is different. 我认为您将此与控制对API网关的访问混淆了,这是不同的。
API Gateway supports multiple mechanisms of access control, including metering or tracking API uses by clients using API keys. API网关支持多种访问控制机制,包括计量或跟踪使用API密钥的客户端对API的使用。 The standard AWS IAM roles and policies offer flexible and robust access controls that can be applied to an entire API set or individual methods. 标准的AWS IAM角色和策略提供了灵活而强大的访问控制,可以将它们应用于整个API集或单个方法。 Custom authorizers and Amazon Cognito user pools provide customizable authorization and authentication solutions. 定制授权者和Amazon Cognito用户池提供可定制的授权和身份验证解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.