API网关如何从其他客户端传递AWS IAM授权 [英] API gateway how to pass AWS IAM authorization from rest client
问题描述
我正在尝试从其余客户端测试经过身份验证的API网关端点.发出请求时如何生成/设置"AWS_IAM"授权标头?
I am trying to test authenticated API gateway endpoint from rest client. How to I generate/set the "AWS_IAM" authorization headers when making the request ?
推荐答案
您可以将Cognito与公共"池ID一起使用,然后将角色附加到Cognito池ID,该角色正在访问您的API网关
You can use Cognito with a "public" pool id, then attach role to the Cognito pool id, the role being accessing your API GATEWAY
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'REGION:YOUR_POOL_ID',
});
使用AWS STS获取具有有限特权的临时凭证.之后,您可以将API Gateway与AWS_IAM身份验证一起使用
Use AWS STS to get temporary credentials with limited privileges. After that you can use API Gateway with AWS_IAM authentication
生成的SDK接受AMI凭据,您必须使用从STS获得的AMI来启动客户端:
The generated SDK accepts AMI credentials, you have to initiate the client with the one you got from STS:
var apigClient = apigClientFactory.newClient({
accessKey: 'ACCESS_KEY',
secretKey: 'SECRET_KEY',
sessionToken: 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
region: 'eu-west-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
});
注意:在您的资源池上设置最低限度的角色,这是一个公开可用的ID,每个机构都可以使用它来获取临时ID或固定ID(以跨设备跟踪用户)user_/app_ ID.
NB: Put strictly minimum roles on your pool, that is a publicly available id, every body can use it to get a temporary or a fixed (to track users across devices) user_/app_ id.
2016年4月更新: 对于Christine的评论:有关如何使用STS的文档.
Update April 2016: For Christine comment's: Documentation on how to use STS.
TL; DR:基本上,在您的身份提供者回电后(对于我来说,是Google),您将拥有一个令牌(对于我来说,是OpenID),只需将其提供给STS:
TL;DR: Basically after your Identity provider calls you back (Google, in my case), you will have a Token (OpenID, in my case), just feed it to STS:
AWS.config.credentials = new AWS.WebIdentityCredentials({
RoleArn: 'arn:aws:iam::<AWS_ACCOUNT_ID>:role/<WEB_IDENTITY_ROLE_NAME>',
ProviderId: 'graph.facebook.com|www.amazon.com', // Omit this for Google
WebIdentityToken: ACCESS_TOKEN
});
这篇关于API网关如何从其他客户端传递AWS IAM授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!