Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs

14 052 vues

Publié le

Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure, and monitor APIs at any scale.  In this presentation, you’ll find out how to quickly declare an API interface and connect it with code running on AWS Lambda.  Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.  We will demonstrate how to build an API that uses AWS Identity and Access Management (IAM) for authorization and Amazon Cognito to retrieve temporary credentials for your API calls. We will write the AWS Lambda function code in Java and build an iOS sample application in Objective C.

Publié dans : Technologie
  • Soyez le premier à commenter

(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Stefano Buliani, Product Manager October 2015 Building Secure and Scalable APIs Using Amazon API Gateway and AWS Lambda
  2. 2. What to Expect from the Session 1. A new, fully-managed development model 2. Declare an API with Amazon API Gateway 3. Application logic in AWS Lambda 4. Register and login API with Amazon Cognito 5. Authorization with AWS IAM 6. Generate and connect the Client SDK
  3. 3. Managed A new, fully managed model InternetMobile apps AWS Lambda functions AWS API Gateway cache Endpoints on Amazon EC2 Any other publicly accessible endpoint Amazon CloudWatch Amazon CloudFront API Gateway API Gateway Other AWS services AWS Lambda functions
  4. 4. Key takeaways AWS Lambda + Amazon API Gateway means no infrastructure to manage – we scale for you Security is important, and complex – make the most of AWS Identity and Access Management Swagger import and client SDK – we can automate most workflows
  5. 5. The services we are going to use Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB Host the API and route API calls Execute our app’s business logic Generate temporary AWS credentials Data store
  6. 6. The pet store architecture
  7. 7. Unauthenticated API call flows Mobile apps AWS Lambda lambdaHandler Register Login API Gateway Authenticated Mobile apps AWS Lambda lambdaHandler ListPets GetPet API Gateway Assume Role CreatePet Sigv4 Invoke with caller credentials Authorized by IAM
  8. 8. What’s new? The application can use lots of servers, and I don’t need to manage a single one. Authorization of API calls is delegated to AWS. We just need to focus on our IAM roles. Deployment of the API is automated using Swagger.
  9. 9. API definition and Swagger
  10. 10. Amazon API Gateway overview Manage deployments to multiple versions and environments Define and host APIs Leverage Identity and Access Management to authorize access to your cloud resources Leverage AWS Auth DDoS protection and request throttling to safeguard your back end Manage network traffic
  11. 11. Method and integration
  12. 12. Resources and methods • POST – Registers a new user in our DynamoDB table/users • POST – Receives a user name and password and authenticates a user /login • POST – Creates a new pet in the database • GET – Retrieves a list of pets from the database /pets • GET – Retrieves a pet by its ID/pets/{petId} Unauthenticated Authenticated
  13. 13. Method Response Integration Request Method Request Method Automating the workflow with Swagger /users: post: summary: Registers a new user consumes: - application/json produces: - application/json parameters: - name: NewUser in: body schema: $ref: '#/definitions/User’ x-amazon-apigateway-integration: type: aws uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31... credentials: arn:aws:iam::964405213927:role/pet_store_lambda_invoke ... responses: 200: schema: $ref: '#/definitions/RegisterUserResponse'
  14. 14. Benefits of using Swagger • API definitions live in our source repository with the rest of the app. • They can be used with other utilities in the Swagger toolset (for example, documentation generation). • API can be imported and deployed in our build script.
  15. 15. Request routing and exceptions
  16. 16. High performance at any scale; Cost-effective and efficient No Infrastructure to manage Pay only for what you use: Lambda automatically matches capacity to your request rate. Purchase compute in 100ms increments. Bring Your Own Code Lambda functions: Stateless, trigger-based code execution Run code in a choice of standard languages. Use threads, processes, files, and shell scripts normally. Focus on business logic, not infrastructure. You upload code; AWS Lambda handles everything else. AWS Lambda Overview
  17. 17. The Lambda handler lambdaHandler in our Java source Register action Login action Create Pet action Get Pet action Credentials generation Pet store database Amazon API Gateway Integration request
  18. 18. Exception to HTTP status Register action Login action Create Pet action Get Pet action BadRequestException BAD_REQUEST + Stack Trace InternalErrorException INTERNAL_ERROR + Stack Trace lambdaHandler in our Java source Amazon API Gateway responses: "default": statusCode: "200" "BAD.*": statusCode: "400" "INT.*": statusCode: "500"
  19. 19. Mapping templates are a powerful tool Learn more about mapping templates in our docs http://amzn.to/1L1hSF5
  20. 20. Retrieving AWS credentials
  21. 21. Amazon Cognito overview Manage authenticated and guest users across identity providers Identity management Synchronize users’ data across devices and platforms via the cloud Data synchronization Securely access AWS services from mobile devices and platforms Secure AWS access
  22. 22. The API definition • POST • Receives a user name and password • Encrypts the password and creates the user account in DynamoDB • Calls Amazon Cognito to generate credentials • Returns the user + its credentials /users • POST • Receives a user name and password • Authenticates the user against the DynamoDB database • Calls Amazon Cognito to generate credentials • Returns a set of temporary credentials /login
  23. 23. Retrieving temporary AWS credentials Call Login API, no auth required Client API Gateway Backend /login Login action User accounts database Credentials verified Get OpenID token for developer identity Receives credentials to sign API calls Identity ID + token Get credentials for identity Access key + secret key + session token /login 1. 2. 3.
  24. 24. Authorizing API calls
  25. 25. The Pets resources require authorization • POST • Receives a Pet model • Saves it in DynamoDB • Returns the new Pet ID • GET • Returns the list of Pets stored in DynamoDB /pets • GET • Receives a Pet ID from the path • Uses mapping templates to pass the path parameter to the Lambda function • Loads the Pet from DynamoDB • Returns a Pet model /pets/{petId}
  26. 26. Using the caller credentials credentials: arn:aws:iam::*:user/* Using the console Using Swagger
  27. 27. The IAM role defines access permissions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "lambda:InvokeFunction", "execute-api:invoke" ], "Resource": [ "arn:aws:dynamodb:us-east-1:xxxxxx:table/test_pets", "arn:aws:lambda:us-east-1:xxxxx:function:PetStore”, "arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/pets" ] } ] } The role allows calls to: • DynamoDB • API Gateway • Lambda The role can access specific resources in these services
  28. 28. One step further: Fine-grained access permissions Internet Client API Gateway AWS Lambda functions Amazon CloudFront DynamoDB CognitoId2 … "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [”${cognito- identity.amazonaws.com:sub}"], "dynamodb:Attributes": [ "UserId","GameTitle","Wins","Losses", "TopScore","TopScoreDateTime” ] }, "StringEqualsIfExists": { "dynamodb:Select": "SPECIFIC_ATTRIBUTES” } } … Executes with this role UserID Wins Losses cognitoId1 3 2 cognitoId2 5 8 cognitoId3 2 3 The credentials and context (Cognito ID) are passed along Both AWS Lambda & DynamoDB will follow the access policy
  29. 29. Authenticated flow in depth Mobile apps AWS Lambda lambdaHandler API Gateway Sigv4 Invoke with caller credentials Service calls are authorized using the IAM role Learn more about fine-grained access permissions http://amzn.to/1YkxcjR DynamoDB
  30. 30. Benefits of using AWS auth & IAM • Separation of concerns – our authorization strategy is delegated to a dedicated service • We have centralized access management to a single set of policies • Roles and credentials can be disabled with a single API call
  31. 31. AWS credentials on the client
  32. 32. 1-click SDK generation from the console
  33. 33. The client SDK declares all methods
  34. 34. The AWSCredentialsProvider We implement the AWSCredentialsProvider interface The refresh() method is called whenever the SDK needs new credentials
  35. 35. Generated SDK benefits The generated client SDK knows how to: • Sign API calls using AWS signature version 4 • Handle-throttled responses with exponential back-off • Marshal and unmarshal requests and responses to model objects
  36. 36. What have we learned? AWS Lambda + Amazon API Gateway mean no infrastructure to manage – we scale for you Download the example from the AWSLabs GitHub account https://github.com/awslabs/api-gateway-secure-pet-store Security is important, and complex – make the most of AWS Identity and Access Management Swagger import and client SDK – we can automate most workflows
  37. 37. Questions?
  38. 38. Remember to complete your evaluations!
  39. 39. Thank you! Download the example from the AWSLabs GitHub Account https://github.com/awslabs/api-gateway-secure-pet-store
  40. 40. Related Sessions CMP302 – Amazon EC2 Container Service: Distributed Applications at Scale Deepak Singh – 10/8, 2:45 PM – 3:45 PM – Venetian H CMP301 – AWS Lambda and the Serverless Cloud Tim Wagner – 10/8, 4:15 PM – 5:15 PM – Venetian H ARC309 – From Monolithic to Microservices: Evolving Architecture Patterns in the Cloud Derek Chiles – 10/8, 4:15 PM – 5:15 PM – Palazzo N