API网关如何从其他客户端传递AWS IAM授权 [英] API gateway how to pass AWS IAM authorization from rest client

问题描述

我正在尝试从其余客户端测试经过身份验证的API网关端点.发出请求时如何生成/设置"AWS_IAM"授权标头?

I am trying to test authenticated API gateway endpoint from rest client. How to I generate/set the "AWS_IAM" authorization headers when making the request ?

推荐答案

您可以将Cognito与公共"池ID一起使用，然后将角色附加到Cognito池ID，该角色正在访问您的API网关

You can use Cognito with a "public" pool id, then attach role to the Cognito pool id, the role being accessing your API GATEWAY

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'REGION:YOUR_POOL_ID',
});

使用AWS STS获取具有有限特权的临时凭证.之后，您可以将API Gateway与AWS_IAM身份验证一起使用

Use AWS STS to get temporary credentials with limited privileges. After that you can use API Gateway with AWS_IAM authentication

生成的SDK接受AMI凭据，您必须使用从STS获得的AMI来启动客户端:

The generated SDK accepts AMI credentials, you have to initiate the client with the one you got from STS:

var apigClient = apigClientFactory.newClient({
    accessKey: 'ACCESS_KEY',
    secretKey: 'SECRET_KEY',
    sessionToken: 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
    region: 'eu-west-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
});

注意:在您的资源池上设置最低限度的角色，这是一个公开可用的ID，每个机构都可以使用它来获取临时ID或固定ID(以跨设备跟踪用户)user_/app_ ID.

NB: Put strictly minimum roles on your pool, that is a publicly available id, every body can use it to get a temporary or a fixed (to track users across devices) user_/app_ id.

2016年4月更新: 对于Christine的评论:有关如何使用STS的文档.

Update April 2016: For Christine comment's: Documentation on how to use STS.

TL; DR:基本上，在您的身份提供者回电后(对于我来说，是Google)，您将拥有一个令牌(对于我来说，是OpenID)，只需将其提供给STS:

TL;DR: Basically after your Identity provider calls you back (Google, in my case), you will have a Token (OpenID, in my case), just feed it to STS:

AWS.config.credentials = new AWS.WebIdentityCredentials({
  RoleArn: 'arn:aws:iam::<AWS_ACCOUNT_ID>:role/<WEB_IDENTITY_ROLE_NAME>',
  ProviderId: 'graph.facebook.com|www.amazon.com', // Omit this for Google
  WebIdentityToken: ACCESS_TOKEN
});

这篇关于API网关如何从其他客户端传递AWS IAM授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！