TechQA.

How do I call an AWS_IAM authorized API Gateway endpoint from AWS Lambda who's execution role has permission to do so?

9.1k views Asked by At

I'm wanting to call an AWS API Gateway endpoint which has Authorization set to AWS_IAM from an executing AWS Lambda who's execution role has permission to execute that API Gateway.

enter image description here

Is there anyway for me to sign the HTTPS request to API Gateway using the current execution role of my Lambda?

Edit:

Looking at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html, I may be able to call AssumeRole using the SDK to assume the role which has permissions to execute Api Gateway, and then extract the secret key which can be used to sign the requests.

amazon-web-services aws-lambda aws-api-gateway signing
Original Q&A
2

There are 2 answers

1
Abhigna Nagaraja On BEST ANSWER

The credentials for lambda's execution role can be retrieved from environment variables - AWS_SESSION_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY.

You can use the above credentials to sign the requests. The docs for signing are here http://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html. You can also look at third party libraries that do this.

Note that since you have session token you'll need to handle it as described here http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#RequestWithSTS

0
Antoine Delia On

As @Abhigna Nagaraja pointed out, you can retrieve the credentials for lambda's execution with the environment variables.

If you are using Python, you can use the aws_requests_auth library to sign the request. You can also check the documentation for a complete example on how to sign the request.

Here's a snippet on how to sign a request from a lambda:

import json
import requests
import os
from aws_requests_auth.aws_auth import AWSRequestsAuth


def lambda_handler(event, context):
    api_id = 'XXXXXXXXX'  # Replace with your API Gateway Id
    api_url = 'https://{}.execute-api.eu-west-1.amazonaws.com/dev/hello'.format(api_id)

    aws_access_key_id = os.environ['AWS_ACCESS_KEY_ID']
    aws_secret_access_key = os.environ['AWS_SECRET_ACCESS_KEY']
    aws_session_token = os.environ['AWS_SESSION_TOKEN']

    auth = AWSRequestsAuth(aws_access_key=aws_access_key_id,
                           aws_secret_access_key=aws_secret_access_key,
                           aws_token=aws_session_token,
                           aws_host='{}.execute-api.eu-west-1.amazonaws.com'.format(api_id),
                           aws_region='eu-west-1',
                           aws_service='execute-api')

    response = requests.get(api_url, auth=auth)
    return {
        'statusCode': response.status_code,
        'body': json.dumps(response.json())
    }

Hope it helps.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AWS-LAMBDA

Related Questions in AWS-API-GATEWAY

Related Questions in SIGNING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions