Background
I currently have an authorizer that takes a JWT token and decodes it and checks if valid or not to build a policy document, then that is used to grant or deny access to API endpoints.
Currently, the endpoints are using query strings as parameters to grab data.
Problem
I need to make it so that the values for the user and email etc are the ones that come from the decodes JWT Token. How do I pass the decodes values to the input of the other lambda functions?
I am open to suggestions, or links, or at least a point in the right direction.
Per the documentation, you need to include those in the context section of the authorizer response. Then you will need to map the context values in your API Gateway mapping template.
If you are using Lambda Proxy Integration then the context returned from the Authorizer function will be in the event.requestContext.authorizer. That does not appear to be documented anywhere, but I always recommend printing the entire event object to your logs when you first start working on a Lambda function so you can see exactly what is being passed into it.
Related
I am using Serverless framework. The method I am using is "GET" but documentation/blogs have examples related to "POST" method. Basically I have cards in my website and each card has id associated with it, so when user clicks on particular card , that id is sent to backend, we fetch data related to that id from database and return it to UI. we can see data related to that card on UI. How can I implement request validation for it ? (do not want to write validation inside lambda function.)
Typically request validation is only really useful for POST requests that send a body formatted in sme way such as JSON. A GET request typically just passes and id within the URL. The path property as a part of the serverless.yml configuration woudl validate the path and id value on its own with no additional work necessary as there is no body to validate. An example of a configuration I mean:
functions:
params:
handler: handler.params
events:
- httpApi:
method: GET
path: /get/for/any/{param}
In this case, if there is any path other than "/get/for/any/" with a value of some type to match {param} at the end as well it will not trigger the Lambda so it is fully validated already
I have a python lambda function that I want to decode and read the payload of a jwt.
I created a get method and passing the authorization bearer-token to the endpoint.
How can i pass and read the jwt using lambda function through api gateway?
You can utilise the mapping template of method integration section. The mapping template utlises velocity template for creating the event. You can capture the headers and send them in the event.
Refer https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html
After invocation of lambda function, the JWT token can be captured in the event and you can retreive the payload.
I'm using Chalice to build a fairly straightforward API on AWS Lambda & API Gateway.
I need a way to get access to the raw query string (i.e foo=bar&abc=123). When accessing the app.current_request.query_params dictionary, it's already been processed, such that any empty parameters (foo=&bar=) have been stripped out.
Unfortunately I'm working with a third-party API that sends a signed hash value in the query string, based off the raw query string. I can't verify it without the original, unaltered query string. Is there any way to access it other than current_request.query_params?
If you wish to get everything you do the following.
Let's say you are hitting the route /objects/{what}?human=you&thing=computer
#app.route('/objects', methods=['GET'])
def myobject(what):
everything = app.current_request.to_dict()
print("look at me: {}".format(params))
For more information see: Request from the Chalice docs
I am trying to send a API query for Subnet Creation. Please note that the authentication code is working the problem is just with the parameter string:
request_parameters = 'Action=CreateSubnet&**VpcId=vpc-1738886c**&CidrBlock=20.20.3.0%2F28&Version=2016-11-15'
When I send this, I get: AWS was not able to validate the provided access credentials
For the exact same code, when I send:
"request_parameters = 'Action=CreateVpc&CidrBlock=20.20.3.0%2F24&Version=2016-11-15'" # It works!!
I am guessing there is something wrong with: VpcId=vpc-1738886c
Being same user, I am able to create a subnet in that VPC with same CIDR block in the console so permission doesn't seem to be an issue.
Please can you advise? Thanks in advance.
"AWS was not able to validate the provided access credentials" should mean you have an issue in the signing code -- not in the actual parameters.
Initially, it's hard to see why that might be the case, here... but it is.
The problem lies in the fact that you need to be signing the canonical representation of the query string... which means the parameters must be sorted lexically when signing:
# canonical representation
Action=CreateSubnet&CidrBlock=20.20.3.0%2F28&Version=2016-11-15&VpcId=vpc-1738886c
There can be no safe assumptions about the order in which a query string's parameters may change end-to-end on the Internet, so the AWS signing algorithms require them to be sorted for signing. The order in the actual HTTP request doesn't matter, but the order when signing does.
Is there a way to use Simple Access API (Developer Key) instead of oAuth2 key with Google Cloud Endpoint?
Extra fields in your protorpc request object that aren't part of the definition are still stored with the request.
If you wanted to use a key field as a query parameter, you could access it via
request.get_unrecognized_field_info('key')
even if key is not a field in your message definition.
This is done in users_id_token.py (the Auth part of the endpoints library) to allow sending bearer_token or access_token as query parameters instead of as header values.
Unfortunately, the nice quota checking and other associated pieces that a "Simple API Access" key gives are not readily available. However, you could issue your own keys and manually check a key against your list and potentially check against quotas that you have defined.
For those looking to use #bossylobster's answer in Java, use the the SO Answer here:
Getting raw HTTP Data (Headers, Cookies, etc) in Google Cloud Endpoints
P.S.
I tried to make this a comment in #bossylobster's answer, but I don't have the reputation to do that. Feel free to clean up this answer so that other's can follow the path