16

What does it means AWS_IAM as Authorization model in Amazon API Gateway?

enter image description here

If I test the Lambda inside the AWS console it works and prints "Hello World", but if I use the endpoint URL and open it inside another browser's tab it say {"message":"Missing Authentication Token"} how can I get this authentication token?

I159
  • 29,741
  • 31
  • 97
  • 132
BAD_SEED
  • 4,840
  • 11
  • 53
  • 110

3 Answers3

18

Create a new IAM user

Go to AWS IAM and create a new user with programmatic access for accessing your API Gateway. Then attach a policy with enough permissions (AmazonAPIGatewayInvokeFullAccess) to the user/group to be able to access your API Gateway endpoint. Once you get through all the steps, you will be presented with a key/secret for your new user.

Make an API request with AWS Signature using Postman

Now, to simplify things, install Postman and then use the Authorization tab in your request page, to select AWS Signature:

Postman-AWS-Signature

Fill in AccessKey / SecretKey for your new user, AWS Region in which you operate (e.g., us-west-1) and click the Update Request button. At that point Postman will fill in the necessary Headers for your request and you can make authorized requests to your API Gateway.

Eddy
  • 3,623
  • 37
  • 44
Jacek M
  • 2,349
  • 5
  • 22
  • 47
  • Thanks, I hope that this solution would integrate with OpenID Connect. I need to search another solution :) – BAD_SEED Jun 07 '17 at 10:56
  • For that you should look into a custom authorizer Lambda function. Your function can then authenticate against any 3rd-party you want, then results can be cached for a desired amount of time in your API Gateway. – Jacek M Jun 07 '17 at 11:31
  • So I can't do this with Enhanced (simplified) workflow? http://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html – BAD_SEED Jun 07 '17 at 11:37
  • How to implement the same on a static webpage instead of using Postman? – Vikas NS Oct 03 '18 at 18:43
  • Static website can't use AWS secrets. You want to use JWT tokens from some identity provider (such as Auth0) that the user receives in exchange for their login/password. JWT tokens sent from user's browser to your gateway, will then be validated by a Custom Authorizer for your API Gateway. Such Authorizer will then be a simple Lambda function that validates the token for you and lets user requests into your gateway. – Jacek M Oct 04 '18 at 10:40
  • this is not working for me. I'm getting error: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. – Vedsar Kushwaha Sep 24 '20 at 05:27
9

Repeating my answer from our forums:

AWS_IAM authentication means you must sign requests using AWS signature version for and AWS credentials. More details on Signature Version 4 here.

You may want to look at a tool like Postman to generate signatures for testing.

Bob Kinney
  • 8,870
  • 1
  • 27
  • 35
  • Thanks. In this way I always need access key and secret and there is no way to include openid connect to autheticate. Am I right? Should custom authorizer do the job? – BAD_SEED Jun 07 '17 at 06:20
  • Correct. You can use custom authorizer to support alternative authentication methods. – Bob Kinney Jun 07 '17 at 16:15
  • @BobKinney : How can i get the context authorizers data using AWS_IAM authentication ?? it gives me blank value. i am using lamda functiion in api gateway. but with AWS_IAM role i am not getting any value. can u please give your feedback on this? – prakash tank Aug 28 '18 at 09:20
  • @Bob Kinney How to implement the same on a static webpage instead of using Postman? – Vikas NS Oct 03 '18 at 18:42
0

To get the authentication token for cross account permission, I will assume that you have a role to assume or you can view this tutorial how it works and how to get one.

In the tutorial above you can see a step assume role which has this command

aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session

the response of this command will be similar to

{
"AssumedRoleUser": {
    "AssumedRoleId": "asdfa:AWSCLI-Session", 
    "Arn": "something"
}, 
"Credentials": {
    "SecretAccessKey": "key", 
    "SessionToken": "token", 
    "AccessKeyId": "key"
}

}

As shown in the @jaccus answer you can use the following value and send the request via postman

  • SecretAccessKey
  • SessionToken
  • AccessKeyId
Kartik
  • 240
  • 2
  • 13