stackoom
  简体   繁体   中英

How do I sign API requests (AWS SigV4) to Lambda behind Proxy & API Gateway?

 原文  2022-07-22 07:01:22       aws-lambda/ aws-api-gateway/ amazon-cloudfront/ aws-signature/ aws-identitypools

Question

I'm working on a project where we currently use Cognito User pools for auth., but after some research we found that if we want more fine-grained access-control we should use an Identity pool instead.

The theory is simple: first we create an Identity Pool that uses the Cognito user pool as Auth provider. Then in API Gateway we set up our Lambda to use Authorizer: AWS_IAM . To access it, User now has to:

  1. Sign in to User pool, which gives user a JWT Token.
  2. Exchange that JWT Token with the Identity pool for temporary AWS Credentials.
  3. Use those new credentials to sign API request to the protected Lambda.

Steps 1 and 2 work fine, with a test user we manage to get the JWT Token and successfully exchange it for AWS credentials. They look like this (modified for security reasons):

awsAccessKey: ASIAZFDXSW29NWI3QZ01

awsSecretKey: B+DrYdPMFGbDd1VRLSPV387uHT715zs7IsvdNnDk

awsSessionToken: IQoJb3JpZ2luX2VjEA8aCWV1LXdlc3QtMyJHMEUCIQC4kHasZrfnaMezJkcPtDD8YizZlKESas/a5N9juG/wIQIgShWaOIgIc4X9Xrtlc+wiGuSC1AQNncwoac2vFkpJ3gkqxAQIWBAAGgw2NTI5NTE0MDE0MDIiDDuTZ1aGOpVffl3+XCqhBDmjCS3+1vSsMqV1GxZ96WMoIoEC1DMffPrBhc+NnBf94eMOI4g03M5gAm3uKAVCBkKO713TsQMaf4GOqqNemFC8LcJpKNrEQb+c+kJqqf7VWeWxveuGuPdHl1dmD2/lIc8giY0+q4Wgtbgs6i0/gR5HzdPfantrElu+cRNrn/wIq4Akf+aARUm14XsIgq7/1fT9aKSHpTgrnTLHeXLKOyf/lZ947XdH71IHDZXBUdwdPikJP/Rikwill6RRTVw7kGNOoacagCmmK7CD6uh9h0OnoW3Qw5df+zX5Z8U7U55AyQfEyzeB7bW3KH65yJn6sopegxIIFfcG2CLIvtb5cZYImAz/4BdnppYpsrEgLPUTvRAXn6KUa5sXgc5Vd7tJeRo5qpYckrR2qfbebsU+0361BCYK2HxGJqsUyt1GVsEoAosxofpn/61mYJXqfeR0ifCAgL7OMOquvlaUVXhHmnhWnUSIOUQ+XtRc+DxUDjwn5RPD7QTwLHIat7d4BI4gZJPAcMT9gZrBVO/iN88lk5R0M5LBzFwd5jiUW46H/G755I4e5ZHaT1I37TY3tbcObIFGVVNz5iHDpK/NePTJevKTshe8cYxXczOQgos4J/RsNpqouO9qRgT9JDyXjU3Etyxqm9RzbLYgV3fl5WwZl5ofVmrBsy3adq+088qEz5b9cogPgDggA/nQaPv7nAZHT8u0ct/hw230pmXUDGCutjOML2G6ZYGOoUCy+BitAN0SZOYWlbZlYomIGKMNQuXjV4z+S9CEW8VunqW4Rgl7rTba6xbI0DdX9upYEczeln6pTl+2UPEDYf6usayFfMsGDvJXesqC5EOtWco1Z8tem/wDQIH7ZbioQHZ7UJDd5ntUAruFveY7sXmKsQbtah/RB5W5HLYy19hCmyGpYMnVXxR0FcNGImsweNcprtw9MmQqy2SUK9V6Rwn1yIE6svfAT3NVyzp9ILbP/qSQLGHNhm4CNd8+EJZZa9rcmCbQiQ+iBJ8FW+AmRSCC4LiB1dhuH1KsFo88DyNhYdVf3py8XV4CDR7l+UyuZMrIQsERwx9JzwVBjfv9COT948mvyGTY

The issue is the signing. Our Lambda is behind a CloudFront proxy + API Gateway. Requests to eg john.dev.project.io are forwarded to the 'real' API origin at api.dev.project.io .

Using Postman and setting AWS Signature , the request doesn't work and gives following error:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'................................................................................................................................................................................................................................................................'\n\nThe String-to-Sign should have been\n'............................................................................'\n

在此处输入图像描述

在此处输入图像描述

We found however, that by overriding the Host header to the real origin of the API , request now works fine:

在此处输入图像描述

So it seems that since the custom URL we use and the original API URL are different, signatures don't match. The problem is that by default browsers don't allow you to override Host header for security reasons, so our front-end signed requests always fail.

Maybe the proxy is also modifying other headers before forwarding to origin, which would also invalidate the signature from my understanding...

Any help appreciated in solving this issue!

1 answers

solution1
 0  2022-12-01 16:42:42

I was facing a similar issue when trying to make a signed request to an API Gateway endpoint behind an Akamai proxy.

The trick to solve it was indeed to generate a request as if you were sending it directly to the API Gateway URL, sign that request using sigv4 and then send that signed request to the proxy endpoint instead.

I've put together a simple NodeJS code to exemplify how to do this: 

 const AWS = require("aws-sdk"); const { HttpRequest } = require("@aws-sdk/protocol-http"); const { SignatureV4 } = require("@aws-sdk/signature-v4"); const { NodeHttpHandler } = require("@aws-sdk/node-http-handler"); const { Sha256 } = require("@aws-crypto/sha256-browser"); const REGION = "ca-central-1"; const PROXY_DOMAIN = "proxy.domain.com"; const PROXY_PATH = "/proxypath"; const API_GATEWAY_DOMAIN = "API-ID.execute-api.ca-central-1.amazonaws.com"; const API_GATEWAY_PATH = "/apigateway/path"; const IDENTITY_ID = "{{identity-pool-region}}:{{identity-pool-id}}"; const POOL_REGION = "{{identity-pool-region}}"; const REQUEST_BODY = { test: "test" }; const METHOD = "POST"; const udpatedSignedRequestExample = async () => { try { const BODY = JSON.stringify(REQUEST_BODY); const request = new HttpRequest({ body: BODY, headers: { "Content-Type": "application/json", host: API_GATEWAY_DOMAIN, }, hostname: API_GATEWAY_DOMAIN, port: 443, method: METHOD, path: API_GATEWAY_PATH, }); console.log("request", request); const credentials = await getCredentials(); console.log(credentials); const signedRequest = await signRequest(request, credentials); console.log("signedRequest", signedRequest); const updatedSignedRequest = updateRequest(signedRequest); console.log("updatedSignedRequest", updatedSignedRequest); const response = await makeSignedRequest(updatedSignedRequest); console.log(response.statusCode + " " + response.body.statusMessage); } catch (error) { console.log(error); } }; const getCredentials = async () => { var cognitoidentity = new AWS.CognitoIdentity({ region: POOL_REGION }); var params = { IdentityId: IDENTITY_ID, }; const response = await cognitoidentity.getCredentialsForIdentity(params).promise(); return { accessKeyId: response.Credentials.AccessKeyId, secretAccessKey: response.Credentials.SecretKey, sessionToken: response.Credentials.SessionToken, expiration: response.Credentials.Expiration, }; }; const signRequest = async (request, credentials) => { const signer = new SignatureV4({ credentials: credentials, region: REGION, service: "execute-api", sha256: Sha256, }); const signedRequest = await signer.sign(request); return signedRequest; }; const updateRequest = (httpRequest) => { httpRequest.hostname = PROXY_DOMAIN; httpRequest.path = PROXY_PATH; httpRequest.headers.host = PROXY_DOMAIN; return httpRequest; }; const makeSignedRequest = async (httpRequest) => { const client = new NodeHttpHandler(); const { response } = await client.handle(httpRequest); return response; }; udpatedSignedRequestExample();

Hope that helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question API Gateway HTTP Proxy integration with aws-sam (NOT Lambda Proxy) Malformed Lambda proxy response with AWS Lambda and API Gateway NodeJs Redirect from a Python AWS Lambda with AWS Gateway API Proxy How do I access a POST parameter in Node js AWS Lambda with API Gateway integration? How to authorize with AWS signature 4 -> API Gateway -> Lambda How do I return errors on an AWS Lambda function written in Node.js through the AWS API Gateway using the Serverless framework? how can I get raw body string in Lambda (API gateway Lambda proxy) AWS API Gateway Lambda Integration (NOT Proxy) - How to Send Custom Headers and Binary Data AWS Api Gateway Lambda proxy integration, how to get source port from client request How to access host in lambda behind both API gateway and cloudfront?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM