aws-samples / api-gateway-secure-pet-store Goto Github PK

Amazon API Gateway sample using Amazon Cognito credentials through AWS Lambda

License: Apache License 2.0

Java 49.59% Objective-C 50.32% Ruby 0.08%

api-gateway-secure-pet-store's Introduction

Setup the Secure Pet Store

Introduction

The Secure Pet Store sample is an application built in Java for AWS Lambda. It uses Amazon API Gateway to expose the Lambda function as HTTP endpoints and uses Identity and Access Management (IAM) and Amazon Cognito to retrieve temporary credentials for a user and authorize access to its APIs with.

The Secure Pet Store

First, create an Amazon Cognito identity pool. The identity pool should only allow Custom authentication providers.
The next step in the identity pool creation process sets up the IAM roles. For the time being simply click Allow to create the identity pool.
Now that we have created the Cognito Identity Pool we need to setup the DynamoDB tables. The application requires 2 DynamoDB tables: one for the users and one for the pets. The annotated objects for users and pets are com.amazonaws.apigatewaydemo.model.pet.Pet and com.amazonaws.apigatewaydemo.model.user.User in the app source code.
The table for the users should have only a Hash Key of type string called username.
The pets table also has only a Hash Key of type string called petId.

Build and Deploy the Application to AWS Lambda

The application needs to be modified to reflect the resource names created above. After adapting the configuration you package the application and deploy it as an AWS Lambda function with the necessary execution role.

Configure the application to utilize the correct Cognito Identity Pool and DynamoDB tables. The app reads the configuration from static variables declared in the CognitoConfiguration and DynamoDBConfiguration in the com.amazonaws.apigatewaydemo.configuration package. Open the 2 classes and set the correct values on the properties.

Class	Property	Description
CognitoConfiguration	IDENTITY_POOL_ID	The unique identifier for the Cognito Identity Pool. This values is available in the Amazon Cognito console.
CognitoConfiguration	CUSTOM_PROVIDER_NAME	The name of the developer provider specified during the Identity Pool creation process. You can access this value from the edit identity pool page.
DynamoDBConfiguration	USERS_TABLE_NAME	The name of the DynamoDB table created to store usernames and passwords
DynamoDBConfiguration	PET_TABLE_NAME	The name of the DynamoDB table created to store the pets

Now that the application is configured you can build it and package it for AWS Lambda using Maven. Open a terminal and navigate to the application folder, then run mvn package. This will create a target directory and inside it a file called api-gateway-secure-pet-store-1.0-SNAPSHOT.jar.
We will create an AWS Lambda function that needs access to the resources created above. Create a new role in AWS Identity and Access Management with the following policies:

Trust Policy for the AWS Lambda execution role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }


   Policy for the AWS Lambda execution role:

   ```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cognito-identity:GetOpenIdTokenForDeveloperIdentity"
            ],
            "Resource": [
                "<COGNITO_IDENTITY_POOL_ARN>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Scan",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "<DYNAMODB_PETS_TABLE_ARN>",
                "<DYNAMODB_USERS_TABLE_ARN>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Open the AWS Lambda console and create a new function. Skip the blueprint selection page and go straight to the Configure Function step. In this screen give your function a name and select Java 8 as runtime. AWS Lambda will ask you to upload a ZIP file for your function. You can upload the Jar file created by the maven process directly.
As a Handler for your function enter com.amazonaws.apigatewaydemo.RequestRouter::lambdaHandler.
Use the execution role created in the previous step.
Now that the Lambda function is ready we can setup the API structure in Amazon API Gateway. To easily create the entire API we are going to use the Swagger format and import this into Amazon API Gateway.
Open the Swagger definition in the src/main/resources/Swagger.yaml file. Search the file for x-amazon-apigateway-integration. This tag defines the integration points between API Gateway and the backend, our Lambda function. Make sure that the uri for the Lambda function is correct, it should look like this:

arn:aws:apigateway:<YOUR REGION>:lambda:path/2015-03-31/functions/<YOUR LAMBDA FUNCTION ARN>/invocations

You can specify the role ARN in the credentials field of the Swagger file, next to the uri field. The /pets methods use a special role: arn:aws:iam::*:user/*. This tells API Gateway to invoke the Lambda function using the caller credentials. For the /users and /login (the first 2 paths in the file) you will also have to specify the invocation role API Gateway should use to call the Lambda function. You can create a new invocation role for the /users and /login methods from the Identity and Access Management (IAM) console with the following policies:

Trust Policy for the AWS Lambda invocation role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }


   Policy for the AWS Lambda invocation role:

   ```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "<LAMBDA_ARN>"
            ]
        }
    ]
}

Copy the Role ARN from the Role Summary page, and paste it in the credentials field of the /users and /login methods of the Swagger file.
Now that we have generated all resources for our API and we have all the ARNs, we should also modify the access policy of the Cognito Identity Pool to grant access to the Amazon API Gateway for authenticated users.
In the IAM console navigate to the roles list and open the authenticated role of your Cognito Identity Pool - the role is likely to be called Cognito_"IdentityPoolName"Auth_Role
Change the policy to:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke" ], "Resource": [ "*" ] } ] }


* Once you have modified and saved the Swagger file to call the correct Lambda function and use your roles [create a new API in Amazon API Gateway](https://console.aws.amazon.com/apigateway/home?region=us-east-1#/apis/create) with the **Import from Swagger** feature.
* You should now be able to deploy and test your **API Gateway Secure Pet Store** API with Amazon API Gateway

# Setting up the iOS sample

## Introduction
The iOS sample application is located under the ```/src/main/resources/ios_sample folder```. It uses [CocoaPods](https://cocoapods.org/) to retrieve its dependencies and includes an iOS client SDK generated with API Gateway.

## Step by Step setup
* If you don't have [CocoaPods](https://cocoapods.org/) installed, follow the installation instructions on the website
* The first step is to copy the contents of the `ios_sample` folder to a new project directory.
* Open a terminal and navigate to the new project directory `cd /your/project/dir`
* To install the dependencies using CocoaPods run `pod install` from the terminal in the project folder
* Open the new `.xcworkspace` file created by CocoaPods in the project folder using XCode
* From XCode open the `PetTest/ClientSDK/PETLambdaMicroserviceClient.m` file
* On line 117 change the `*URLString` definition to match the url of your API deployment with Amazon API Gateway

## The AWSCredentialsProvider
In order to provide credentials to our SDK, and make calls to the Secure Pet Store backend, we have created a custom implementation of the `AWSCredentialsProvider` object. The `AWSCredentialsProvider` interface declares a single method, `(AWSTask *)refresh`. This method is called by the generated SDK whenever it needs credentials and is in charge of fetching a new set of temporary AWS credentials from your backend and storing them in its `_accessKey`, `_secretKey`, and `session_key` properties.

Our custom implementation is located under `PetTest/APIGSessionCredentialsProvider`. The refresh method uses the generated client to call the `login` method with a cached username and password. The login method from our backend verifies the credentials and responds with a set of temporary AWS credentials.

api-gateway-secure-pet-store's People

Contributors

Stargazers

Watchers

Forkers

4ossiblellc mingy711 rdematos jayasimhan mitchellporter velkitor rodneygrilli richard-reedy-volusion kaniska szywind arminhammer shinfan inigo0178 spuds51 riiotlabs mattmcclean joseph-hurtado vani-gurnani sunnygurnani steffeng brycelin starshipvendingmachine nagyistge carloslimasis newtriks myyk mtbriones joezen777 claytonbrown vineetshukla15 hkgill id2359 massiv-io endymion00 sjayavelu1 bronzedrum kannanjmc edwardkim linearregression imylomylo fishhelper nico-conduct alelora emagr-tradedoubler assureserve mgivney jinwg yaareck ytneosoft iamtaosong balak31 ruisizhang krishnachaithu mnainu naheedmk ubaidsayyed54 paramstech365 dyoun hasskell sadishkannan vodlogic raptemple thiagoneves cromatido vash000 chamini2 mingqin1 racheliurui kevanpng bunyod mohit-ssingh daitc2004 jadamsdb viveklm vaquarkhan wesgur mcfloyd lwangturner sjonnakuti javatestcase rgaquino varun7 paramsmit jaisyrahman teemuniiranen kitepro40 jessie-wang-3-wcar davfsand mattmarked odvin kaloyanborisov an0nym0us3r satyalulu makque martinschaef ronmiand youtacrands-va

api-gateway-secure-pet-store's Issues

Trying to build ios_sample in Xcode fails

Line 126 in PETLambdaMicroserviceClient.m shows "No know class method for selector 'signerWithCredentialsProvider:endpoint' "

Test post method for inserting pets with temporaty security credential in Postman

Hi: I deployed codes on AWS and users were registered as cognito pool. The URL( https://...../test/login) post method returned this JSON.
Can I use Postman to test https://...../test/pets with security credential to insert new pet?
what are the custom http headers ( Authorization, Credential, SignedHeaders , Signature) I need to set up?

{
"identityId": "us-west-2:474913db-b0bd-47f0cb3dbe43b",
"token": "eyJraWQiOiJ1cy1lYXN0LTExIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NDc0OTEzZGItYjBiZC00NzFlLThiZmUtNGYwY2IzZGJlNDNiIiwiYXVkIjoidXMtZWFzdC0xOjNjMmIyZjI3LTU2ZGQtNGM5MS1hNmM5LTFhNTk4NjUwZjU3ZiIsImFtciI6WyJhdXRoZW50aWNhdGVkIiwicGV0U3RvcmVBdXRoZW50aWNhdGlvblByb3ZpZGVyIiwicGV0U3RvcmVBdXRoZW50aWNhdGlvblByb3ZpZGVyOnVzLWVhc3QtMTozYzJiMmYyNy01NmRkLTRjOTEtYTZjOS0xYTU5ODY1MGY1N2Y6dGVzdCJdLCJpc3MiOiJodHRwczovL2NvZ25pdG8taWRlbnRpdHkuYW1hem9uYXdzLmNvbSIsImV4cCI6MTQ0NDQ5MTE2NiwiaWF0IjoxNDQ0NDkwMjY2fQ.PcCVdZidyeumwJUrfvZdaOhS0OsvO6aMaAe4eBMF8mTK7txyFtwr0KTPtFrLtWprP7h6HabIiJUiLGVOh52fE74ngmeNlihgkw7vSjGsisXzQMEfVF5YjyMyKVn_BOYxy7B-58-EFeDAFYXbmNg2IQXsGQPyp28i7dFQh7gPgAW9FJuRFe1WgxcR_asT_Zrko_dVy59yEqclUtgyWktsV1v8zU1S0o1CsnLifD2SEWvjDA09RYqJf-Q2nkbjRO1ToVZXEdYLdx_ApQmPWRo-ISdZ8PntqlJvx0whP5aoqbAwNh6k9ZqMQw",
"credentials": {
"accessKey": "ASIAJ5T4LTYBM5NA",
"secretKey": "G4ddpPtc6RZkuzb5PV6hsV860QjAPP5W4M",
"sessionToken": "AQoDYXdzEKj//////////wEakAUqSPwuGYLRKnjXPY08UmpP4/Cr8Jizr2dO7vrL9hijQjGjOo3IPMBArc9TFK+lCyoHmqEa2Isp7pWe2A07F4vFBHX1Oumf5jTzdY/U7nUpiGH57Sb2+74Gebg0agMKAdj0o5Gp2aqSeP7Mt//WHZiApIq1+AyTzbP0GgQKMrJxSe9zxAmv3nZuGjo0xdfqtisU2fuIhzkGesRQAkSiJTugD6k2WqH7W61FvSFuuv6KkhyoSK38L3did0FxFct297k8Mo8dCm4ma9cSvs9y8aSYHjdycjQx4L44lELolYjXQFISOZl06ZieJAxO42hKOxLan6W8d3i1Ff+wh9t4dCyDMq6NnmfGFv3g/Z8OwTzL7cDQfs1ocu2ungUReWphKQgJfMDQMw8dYX8urxLVCVYTxnHcWle4laKKJoymu9b+ZXvLdWrtr/WcRf5B02+l1X00BjdHBm3xRRaO+7ePY4U0Ghzz6O3BkSoiXYKi7geSLEBsJ0imOksy7kWKZmyGKflZba3JmoPF0e9h5CI6bXwRGChoZX86iZK/uETKejOwVv3Jn9a9jtXUmwJgdfal5YoQsqTxvRZqKvafKKXHazzBibl0PoEvrLdu3m3UdX7hwDJwGyFCcxP6rTSJCLWGQYjw8NYSKTG/sSOrnprXxotNijidTOBr6JQqQWyR1ElzKnzJKlqAjkdoI8jPNWN/jd3UaXJMbnc8xEI/ZmOjGeMNb+HC1oTVnjNwhWWezrgwqatfRFd5fxgU08ow0JakWPXhtthTA5aZmL+WlGm1Nvr2WpoacX5xWPvGVn1tfxXJH9KkC/mXqEuAicBGsl3a1aYXx2JbXaSLeIra6NGIRcIcGhO4y0x5yCa2OSwBQ\u003d\u003d",
"expiration": 1444400
}
}

Testing Secured endpoints with API-Gateway / Postman is not clear

I am able test login / register user and get valid accesskey, secretKey and sessionToken.
However I cannot test other endpoints /pets or /pets/{petId}.
I get below error message.
I really appreciate if someone can explain how can I test this without using IOS app via API Gateway console and/or Postman (or some other REST API client).

Error Msg:
Thu Jan 26 09:14:47 UTC 2017 : Execution failed due to configuration error: API Gateway could not determine the callers credentials

Note: Authorization set to AWS_IAM and my swagger file's credentials value is set to credentials: arn:aws:iam:::user/ as stated in the documentation.

Swagger on windows

I got most of the way through, then got stuck on a non-cloud step (running on windows):
./aws-api-import.sh --create /path/to/secure-pet-store/src/main/resources/swagger.yaml

I can always create the lambda functions manually base don the yaml content.

The maven assembly command builds however then all the tests fail. When I try just the compile, that works. I was expecting/hoping that a jar would have been created - that did not happen as a result of the assembly. All the tests fail - various exceptions.

%mvn org.apache.maven.plugins:maven-compiler-plugin:compile
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building aws-apigateway-importer 1.0.3-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] The artifact org.apache.commons:commons-io:jar:1.3.2 has been relocated to commons-io:commons-io:jar:1.3.2
[INFO]
[INFO] --- maven-compiler-plugin:2.5.1:compile (default-cli) @ aws-apigateway-importer ---
[INFO] Nothing to compile - all classes are up to date
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.870s
[INFO] Finished at: Mon Mar 21 22:50:34 EDT 2016
[INFO] Final Memory: 12M/309M
[INFO] ------------------------------------------------------------------------
%
%ls -la target
total 16
drwxrwxr-x+ 1 behrens behrens 0 Mar 21 22:14 .
drwxrwxr-x+ 1 behrens behrens 0 Mar 21 22:14 ..
drwxrwxr-x+ 1 behrens behrens 0 Mar 21 22:14 classes
drwxrwxr-x+ 1 behrens behrens 0 Mar 21 22:14 generated-sources
drwxrwxr-x+ 1 behrens behrens 0 Mar 21 22:14 generated-test-sources
drwxrwxr-x+ 1 behrens behrens 0 Mar 21 22:51 surefire
drwxrwxr-x+ 1 behrens behrens 0 Mar 21 22:14 surefire-reports
drwxrwxr-x+ 1 behrens behrens 0 Mar 21 22:14 test-classes

Custom Authorizer

Now that AWS API Gateway has introduced Custom Authorizer, does the approach described here change in anyway ?

Cognito Auth_Role must include lambda:InvokeFunction

Cognito Auth_Role role must include permission to call Lambda function. In the README section, please include a note about adding lambda:InvokeFunction permission to the auth role's policy.
{ "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "<ARN OF LAMBDA FUNCTION>" ] }

If this is not added, the user could be getting the following error trying to call the API from a browser:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 403.

More introduction

Is there a blog post or anything to accompany this sweet looking repo? It's not entirely clear what it's setting out to do, or from a high level how it accomplishes it.

temporary security credentials expiration interval is too short

Hi:
I created a identity pool by following the example code published at awslabs/api-gateway-secure-pet-store.
The temporary security credentials expired every 5 minutes . how can I make them lasting longer such as 10 minutes?

Here is the example credential :
credentials: {
accessKey: ""
secretKey: "qtJrT+8mpuDEzitVzyzuSa8Jggy+zTGekbR57/fe"
sessionToken: "AQoDYXdzEMH//////////wEaoAUop8GGQFBcmhsebdDvrUTNdDXxYBpZ2bQRyRVlIp7Ck3rBIuWGT8P4hDTZ39d6fGgT7jKNutOQ/wKyighyaZocOAuYQOckvUszyVTg2ooGz9BiKqXlrwqrzOqzwsfGsAlhtKflbS2x5vuxxV8KYuSYqITUo/5RS77Um41PYjPBgcT+8K/ZooTDc3jC0synBCUnhSFJKrbv7TXHgWeAMukGqvjRgvRHAsoi6NclLPedFFmf2t9gUnIEmOkeRpXqbV0zJqrtHKgIWftk4fZNRYZWUOqY/q03CLEucMaJZ5UIh1yPjgjFvj0frzNGyg0xWd5lhkTqUC0aAWB2bmIFQPNa0uif3JuctjzX2/eKmOTWQqVKqX6wFVOfcUEKs3+cvtBlMPXK3TzJmAdlnlzZuRUcD+L0LLy69Su8s1wq7Zx7sEyNGQS/DoQRLWmSEsoUu981eJax1p6n72fIU/+xrs+vrCIsBsCeq6YNrQR++g7Vb8vRz9Qp/RSxiRhoacnn+BIOUXLwRJEhs0CXys7LbVxcL+xAFWvbphTJUlvK6EfNlseTU1jBB8LOy4c/btIeHH6GmP5Lavj5Zn2X1QJL9vSO0f2xs+0cSCcvhDxx8Oe5ULBkYaNk7wb8LxPfDw/UtF6rmLQl1IzOftDzBnhsqO0XYhwdGL0CtNQV+p9WzQ+/DZRzfvWeUBYCjwNBPLvtnRjRpU+edUx9qjwE/2RkAuU2DE6Cf3meTHsLOGssmjpj5hbuxdCO0MzT+t6sa4zydjZySYlRGAL+hfQOGjasRegR/sN8/njLpcL32rDFiibITAJw+Ic2iS95e3lzIYu8KByDMgIm2t1GYIBL1GrivjLrws29wTf3p/FE0he4AJntP+7nRzojVsNupBtJleZTG6ogi4vqsAU="
expiration: 1444582299000
}

Here is the message about credential is expired:

{
message: "Signature expired: 20151011T155322Z is now earlier than 20151011T155344Z (20151011T155844Z - 5 min.)"
}

What is the meaning "Copy and paste the same access policy we generated for the invocation role"

I followed as the documentation says, But at the end I didn't understand this line : "Copy and paste the same access policy we generated for the invocation role".

Does that mean , that make Cognito_IdentityTestPoolAuth_Role to similar to previous one ? Like below

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:",
"cognito-identity:"
],
"Resource": [
""
]
},
{
"Sid": "Stmt1462212212000",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"execute-api:Invoke"
],
"Resource": [
"arn:aws:lambda:us-east-1:XXXXXXXXX:function:zPetStoreAPIGatewayLambda",
"arn:aws:execute-api:"
]
},
{
"Sid": "Stmt1462211764000",
"Effect": "Allow",
"Action": [
"cognito-identity:GetOpenIdTokenForDeveloperIdentity"
],
"Resource": [
"arn:aws:cognito-identity:us-east-1:XXXXXXXXX:identitypool/us-east-1:a6fef2a4-bb3f-4e22-b9d6-xxxxxxxx"
]
},
{
"Sid": "Stmt1462211972000",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXX:table/testPetId"
]
},
{
"Sid": "Stmt1462212134000",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXX:table/testUserName"
]
},
{
"Sid": "Stmt1462212275000",
"Effect": "Allow",
"Action": [
"logs:"
],
"Resource": [
""
]
}
]
}

May you please clarify ?

PetTest iOS App: After logging in, screen hangs showing spinning "Loading pet list".

Followed instructions on Roles, Tables, Lambda, API Gateway upload, etc.
User has been registered and is in Cognito.
User data appears in DynamoDB /users table.
The user has logged in successfully and gets credentials (show by console).
DynamoDB pets table does have data in it.
But the Master/Detail screen simply spins "Loading pet list".
This happens on simulator and physical hardware.
Any ideas of what may be happening?

The request signature we calculated does not match the signature you provided ?

On executing Login request, I have recieved following crendentials 👍
"credentials": {
"accessKey": "XXXXXXXXXXXXX",
"secretKey": "XXXXXXXXXXXXX/XXXXXXXXXXXXX/XXXXXXXXXXXXX",
"sessionToken": "FQoDYXdzEEUaDBzTjHqvxMWDMpGfniKuBFZQZHKgdyhTDBTfHplacB+y27s87iGuEvFO5yHbJG5AwxgPGTpxc3mpdfmW5Q2CA5w8BCIzGjXqAPB8iEMI95rZWXh73AZH4OKrPHSEyRMDscH73Yl2DdVOiPpSQGAFssaVytxIJPF2AESUohD/OdvpwQ+sRwm8/mm1/8iUgNjYch0xl80GYtoUysTkGohhtDktGcEN3ho+Dsq8Z2ei+LTH6ulq2tkPvxVSGw9KoN5OP20nCfehRSIy5WPxTuFm8ws76DjNs1xoTDdkVGW/8QOTgvutLLc1axd6HKmELLNQWUEOXNAxK+1Sf8YMPRGH1bp+ozXrGAJc/71OXhk5QISS3ikUT0RephMJY/PbG7E4DnvIGI82+InUCTT/YvFZM7xWIrwWDKJIcY5/+CI7Sos6+JiFj0doyh+sK0Muu3IZgBwmXdA6r7qWeI94+j2FUpWB7fUTCHzOQLotR2U62gxj0h8fiiqviznPcaLbnnH+e+pSOvTY4F8vgQw256O41QgxhRxHL4rLlvC5PwJ8Im1Pcgj224myQZVyK/2SX3eEfKXaQEn+vMDUTYdWhpOcPU1NVK8H1GG6/Srs2oEcaqQm7Mv6VQKSe5R7XWs3GCuwMQmkac7QoIG8VG48QvqEgBzyvS+ivUapW8h1pg9yqYNPzVwh8RTv3Tyl0wP0DIExN8AZX85CZv/k9v3QqHku5MgHh6Me6DnXKmr6F8a3XOEJJfHau+Rm/C6ENFG2aijaqKK5BQ==",
"expiration": 1462280810000

}

But when I applied to call Pets request by entering above parameters , it does the following 👍

{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'POST\n/devTest/pets\n\ncontent-length:212\ncontent-type:application/x-www-form-urlencoded\nhost:XXXXXXX.execute-api.us-east-1.amazonaws.com\nx-amz-date:20160503T121516Z\nx-amz-security-token:FQoDYXdzEEUaDBzTjHqvxMWDMpGfniKuBFZQZHKgdyhTDBTfHplacB+y27s87iGuEvFO5yHbJG5AwxgPGTpxc3mpdfmW5Q2CA5w8BCIzGjXqAPB8iEMI95rZWXh73AZH4OKrPHSEyRMDscH73Yl2DdVOiPpSQGAFssaVytxIJPF2AESUohD/OdvpwQ+sRwm8/mm1/8iUgNjYch0xl80GYtoUysTkGohhtDktGcEN3ho+Dsq8Z2ei+LTH6ulq2tkPvxVSGw9KoN5OP20nCfehRSIy5WPxTuFm8ws76DjNs1xoTDdkVGW/8QOTgvutLLc1axd6HKmELLNQWUEOXNAxK+1Sf8YMPRGH1bp+ozXrGAJc/71OXhk5QISS3ikUT0RephMJY/PbG7E4DnvIGI82+InUCTT/YvFZM7xWIrwWDKJIcY5/+CI7Sos6+JiFj0doyh+sK0Muu3IZgBwmXdA6r7qWeI94+j2FUpWB7fUTCHzOQLotR2U62gxj0h8fiiqviznPcaLbnnH+e+pSOvTY4F8vgQw256O41QgxhRxHL4rLlvC5PwJ8Im1Pcgj224myQZVyK/2SX3eEfKXaQEn+vMDUTYdWhpOcPU1NVK8H1GG6/Srs2oEcaqQm7Mv6VQKSe5R7XWs3GCuwMQmkac7QoIG8VG48QvqEgBzyvS+ivUapW8h1pg9yqYNPzVwh8RTv3Tyl0wP0DIExN8AZX85CZv/k9v3QqHku5MgHh6Me6DnXKmr6F8a3XOEJJfHau+Rm/C6ENFG2aijaqKK5BQ==\n\ncontent-length;content-type;host;x-amz-date;x-amz-security-token\n82d7b00fc60e9684db97202b877091a3836e091224a5a8bf4567080e104e4459'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20160503T121516Z\n20160503/us-east-1/execute-api/aws4_request\nd6d9d29069c6575ec4510dfab1268f2ba1697a876a660c4564fe8398674f3c97'\n"}

Any comments ?

API Gateway and HTML Web pages

I have watched the Invent and other API gateway videos, read tons of stuff and I am still confused.

Imagine I have two EC2 websites. Each one serves up both webpages and API resources.

Can I use API Gateway to proxy both webpages and resources? i.e. one serves up HTML and the other JSON.

Right now if I create API Gateway resources for /site1 and /site2 and add a resource under each for HTTP Proxy to their respected locations and under the ANY method test something like /site1/index.html the webpage HTML is returned but all of the page content like scripts, css, js etc is not found.

I thought that API gateway was the answer to serverless proxying so have I got it completely wrong?

Thanks,
Dave

Problem with Trust Policy file

I am new to AWS, so, I may be doing this wrong. But, any help would be greatly appreciated.

I tried to create the Lambda Role by first creating two policies. One named TestAppTrust that contained the following:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

When I attempt to validate the policy I get an error. Specifically, the error is:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

When I read the "policy grammar" everything looks correct and appropriate.

What am I doing wrong?

Thanks,

Stan

enabling Fine-grainded access persimssions on Pets tables -authrozation access control list

Hi Team:
Stefano Buliani had a presentation i( https://www.youtube.com/watch?v=ZBxWZ9bgd44 , minutes 36:17) about both AWS Lambda and DynamoDB will follow the the access policy such as
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [”${cognito-identity.amazonaws.com:sub}"],
"dynamodb:Attributes": [
"UserId","GameTitle","Wins","Losses",
"TopScore","TopScoreDateTime”
]
},
"StringEqualsIfExists": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES”
}
}
Could we add a similar policy to this project? pets API post method could insert a new item to pets table with attribute name identityId and attribute value as congitoId . The users tables has that attributes.

Documentation needs to be updated to use direct swagger entry rather than deprecated "swagger import tool".

How to set up Java Development Environment to debug project without deployment the jar?

Team:
How do you develop the project prior to deploy the jar in Lambda console?
I would like to set up a java maven project in IDE with proper configure in my local dev machine, I can debug the Lambda code which need accesses to DynamoDB and Cognito pool resources in AWS region.

I am used to set up OpenVPN in my VPC to access the AWS resources.

How to make an API only be accessed by an android app?

As the question suggests,I need to allow an api can only be accessed from my app.
How to do that?
I am posting the question here because I don't know which is the help forum

Podfile format has changed

I needed to edit the Podfile to support new format to get "pod install" to work. The file should be fixed to support this change.

Can you post the mapping template used in integration request?

please post the mapping template used. for any of the action class
Thanks
sirfak

Enable CORS support in Swagger

Can you update the swagger file with CORS support so this can be invoked with the javascript sdk?

Unable to get response from aws api gateway

I have deployed my api on aws amazon api gateway and If I go through resource and make a request to an endpoint, I am able to get the response however when I go to stages and invoke url with params and x-api-key then I don't get any response with warning 'Unexpected 'N'' and 'Not Acceptable'. How is it possible that output is changed after deploying?

It's happening only in case of a POST request and I am trying postman to send requests.

Web UI

Not an issue but an enhancement...

It would be really nice to also have a little web UI to demonstrate the login and API call flow from a web browser.

Amazon API security with API Keys

I have deployed my rest API on amazon API gateway and I have a scenario in front of me with security concern. I am using an api key for all the api requests, I wanna know if the that api key is exposed somehow and as we know the same api key is being used by already published apps...Then what are my options?

Also as mentioned here I can have only 10000 API keys per AWS account if I want the api keys to be unique per user for it to be more secure but what if the number of user shoots out to be more than 10000.

Generated SDKs contains duplicate models which refers the same object in the API definition

Hi,

I don't think this is related to api-gateway-secure-pet-store itself, but the problem we face can be reproduced easily with this repository.

It appears that the SDK generation of Api Gateway (iOS, Androïd) is not very smart when dealing with array of objects (Pets in this case). Instead of using the 'Pet' model as the item of the array, the SDK generates a third model called 'Pets_Item' which is exactly the same than 'Pet'.

This is very annoying for Client developers because they have to handle two different classes for the same domain depending of the services they call (GET /pets or GET/pets/{id}).

In result, they have to write patch to have something useable...and the magic suddenly disappears.

Do you think is there any way to avoid the third model by fixing something in the Swagger file ? We tried several changes but without any success.

"errorMessage": "null (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID:

I followed as the documentation says, and on execution of the below method -

https://XXXXXXX.execute-api.us-east-1.amazonaws.com/devTest/users
with following body
{
"action" :"com.amazonaws.apigatewaydemo.action.RegisterDemoAction",
"body" : {
"username":"test",
"password":"test123"
}

}

{ how ever it was not mentioned anywhere in the documentation that how to send the request }

And it gave following error -

{
"errorMessage": "null (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: 1TM4POAKDQ2KIEIUEPIOLTH0RNVV4KQNSO5AEMVJF66Q9ASUAAJG)",
"errorType": "com.amazonaws.AmazonServiceException",
"stackTrace": [
"com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1182)",
"com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:770)",
"com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:489)",
"com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:310)",
"com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.invoke(AmazonDynamoDBClient.java:1772)",
"com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.getItem(AmazonDynamoDBClient.java:1141)",
"com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMapper.load(DynamoDBMapper.java:454)",
"com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMapper.load(DynamoDBMapper.java:532)",
"com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMapper.load(DynamoDBMapper.java:398)",
"com.amazonaws.apigatewaydemo.model.user.DDBUserDAO.getUserByName(DDBUserDAO.java:64)",
"com.amazonaws.apigatewaydemo.action.RegisterDemoAction.handle(RegisterDemoAction.java:101)",
"com.amazonaws.apigatewaydemo.RequestRouter.lambdaHandler(RequestRouter.java:98)",
"sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)",
"sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)",
"sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)",
"java.lang.reflect.Method.invoke(Method.java:497)"
]
}

iOS Sample App - unrecognized selector - AWSSignatureV4Signer

With the iOS sample app, AWSSignatureV4Signer does not have a method signerWithCredentialsProvider, so the code will not compile with the latest dependencies.

The suspect line of code is 117 of PETLambdaMicroserviceClient.m:

        AWSSignatureV4Signer *signer = [AWSSignatureV4Signer signerWithCredentialsProvider:_configuration.credentialsProvider
                                                                                  endpoint:_configuration.endpoint];

Changing the signer to v2 does not fix the code - API Gateway requests requiring AWS_IAM do not succeed. The Xcode console reports

2017-01-11 18:09:54.934 PetTest[14093:751826] -[PETCredentials continueWithSuccessBlock:]: unrecognized selector sent to instance 0x618000424280

The unauthenticated AWS_IAM request for registering a user works, so connectivity is established new users are registered with the login screen.