如何为AWS Gateway API创建预签名URL [英] How to create presigned URL for aws gateway API

查看:262
本文介绍了如何为AWS Gateway API创建预签名URL的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我已经看到了S3对象的预签名URL.是否可以为API网关创建预签名的URL.我已经查看过文档.我正在使用.NET.我想知道是否有.NET库可用于创建网关API的预签名请求.

I have seen pre-signed URL for S3 object. Is it possible to create pre-signed URL for API gateway. I have gone through documentation. I am using .NET. I would like to know if there is .NET library available to create pre-signed request for gateway API.

问题
我有GET这样的https://xxxxxx.execute-api.us-east-1.amazonaws.com/dev/pets?type=dog&page=1 API,我们的客户端将不时调用该API.他们使用的旧版工具仅支持GET.因此,我想创建一个预签名的URL(有效期短),并在他们要求时给他们.对于每个客户端,我已经拥有IAM用户及其各自的accesskeysecretkey

ISSUE
I have GET API something like this https://xxxxxx.execute-api.us-east-1.amazonaws.com/dev/pets?type=dog&page=1 and our client is going to invoke that API once in a while. The legacy tool that they are using only supports GET. So i wanted to create a pre-signed URL (with short expiry time) and give them when they ask for it. For each client i already have IAM user with their respective accesskey and secretkey

推荐答案

通常使用AWS

PreSigned URLs are typically signed with AWS SigV4 signing process.

您可以为 API网关生成SigV4签名的Urls. a>托管端点.通常,您将需要在授权请求标头"中发送SigV4签名.如果您的客户愿意发送标头,则此处是一个示例您可以尝试使用.NET库来创建带有签名标头的HTTP请求.

You can generate SigV4 signed Urls for your API Gateway Hosted Endpoints. Typically, you will need to send SigV4 signature in Authorization Request Header. If you are clients are willing to send header, here is one sample Library you can try for .NET which creates a HTTP Request with signed header.

如果您的客户端无法发送授权标头或无法使用上述库,则可以将签名转换为查询字符串格式,并向其提供预签名的Urls.

If your clients cannot send Authorization Header or cannot use above library then you can convert the signature to be a Query String Format and provide the pre-signed Urls to them.

This AWS Documentation has example in Python on how to generate Query String URL. Now, you can take python example and convert into .NET based code with following sample.

public string GetSig4QueryString(string host, string service, string region)
    {
        var t = DateTimeOffset.UtcNow;
        var amzdate = t.ToString("yyyyMMddTHHmmssZ");
        var datestamp = t.ToString("yyyyMMdd");

        var canonical_uri = "/dev/myApigNodeJS";

        var canonical_headers = "host:" + host+"\n";

        var signed_headers = "host";

        var credential_scope = $"{datestamp}/{region}/{service}/aws4_request";

        var canonical_querystring = "X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=" + WebUtility.UrlEncode(_access_key + "/" + credential_scope)
        + "&X-Amz-Date=" + amzdate + "&X-Amz-SignedHeaders=" + signed_headers;

        Console.WriteLine("canonical_querystring");
        Console.WriteLine(canonical_querystring);

        var payload_hash = Hash(new byte[0]);//No Payload for GET
        var canonical_request = new StringBuilder();
        canonical_request.Append("GET\n");
        canonical_request.Append(canonical_uri + "\n");
        canonical_request.Append(canonical_querystring + "\n");
        canonical_request.Append(canonical_headers + "\n");
        canonical_request.Append(signed_headers + "\n");
        canonical_request.Append(payload_hash);

        Console.WriteLine("canonical_request");
        Console.WriteLine(canonical_request);

        var string_to_sign = $"{algorithm}\n{amzdate}\n{credential_scope}\n" + Hash(Encoding.UTF8.GetBytes(canonical_request.ToString()));

        Console.WriteLine("string_to_sign");
        Console.WriteLine(string_to_sign);

        var signing_key = GetSignatureKey(_secret_key, datestamp, region, service);
        var signature = ToHexString(HmacSHA256(signing_key, string_to_sign));

        var signed_querystring = canonical_querystring+"&X-Amz-Signature=" + signature;

        return signed_querystring;
    }

GetSig4QueryString("myApiId.execute-api.us-east-1.amazonaws.com","execute-api","us-east-1");
//Returned String --> X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential= AKIAIOSFODNN7EXAMPLE%2F20190104%2Fus-east-1%2Fexecute-api%2Faws4_request&X-Amz-Date=20190104T190309Z&X-Amz-SignedHeaders=host&X-Amz-Signature=7b830fce28f7800b3879a25850950f6c4247dfdc07775b6952295fa2fff03f7f

完整的端点成为-

https://myApiId.execute-api.us-east-1.amazonaws.com/dev/myApigNodeJS?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20190104%2Fus-east-1%2Fexecute-api%2Faws4_request&X-Amz-Date=20190104T190309Z&X-Amz-SignedHeaders=host&X-Amz-Signature=7b830fce28f7800b3879a25850950f6c4247dfdc07775b6952295fa2fff03f7f

注意-

  1. 此示例代码引用方法&我在上面给出的 Github 项目中的变量.
  2. 此外,此示例硬编码的API路径/dev/myApigNodeJS并对其进行了签名,具有完全绝对路径的您将有所不同.
  3. AWS建议对所有queryStrings(您打算在请求中发送的标头)进行签名.仔细阅读我所引用的.NET库代码,并了解其工作方式.
  1. This example code refers methods & variables from Github project I gave above.
  2. Also, this example hard coded API Path /dev/myApigNodeJS and signs it and it will be different for you with full absolute path.
  3. AWS recommends to sign all queryStrings, headers which you are planning to send in request. Go through .NET code of library I referred and understand how its doing that.

如果您有任何问题,请告诉我.

Let me know if you have questions.

这篇关于如何为AWS Gateway API创建预签名URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆