Fork me on GitHub
#aws
<
2019-10-21
>
Brian14:10:35

I created two stages in API Gateway. One called "dev" and one called "prod". I am satisfied with how dev is and would like to roll that into prod which seems to me like a very simple/common task but I can't seem to figure out how to do that. 1. Is that possible? 2. Is it best practice?

dmarjenburgh15:10:49

That should just be a matter of deploying the api to the prod stage.

dmarjenburgh15:10:12

Are you using the console for this or something else?

Brian19:10:18

The console @U05469DKJ. I think I understand the flow now though =]

Brian20:10:52

I have a javascript front end which I want to enable to authenticate through Cognito when it hits an endpoint in API Gateway. Should I hard code user credentials into my js in order to get a token and hit our resources? Or is there a different solution for doing server to server authentication? I've looked into server to server authentication but I'm not able to find much on it. If someone had an idea of what is best-practice for this situation I'd really appreciate it!

Joe Lane20:10:34

@brian.rogers Look at aws-amplify. Never hard code your credentials.

Brian20:10:49

@joe.lane This doesn't look a whole lot different to me. I might be missing something but all their examples have to to with users using usernames and passwords. I can't quite see how I might use Amplify to give my js front end access to my back end resources without hard coding a username and password. The use case here is that we want to pull data from our database before a user signs in. So at the point we don't yet have any creds. I was hoping for a way of authenticating with Cognito without a user providing credentials

Joe Lane20:10:12

Should said data in the database be considered safe for public display?

kulminaator20:10:55

whatever your frontend exposes to the enduser should be considered public information

kulminaator20:10:11

no point of putting usernames or passwords there, might just as well drop the auth from the server

Brian20:10:58

I suppose it could be... But there has to be a way to do server-server authentication right? Removing the fact that this is .js and front end from the conversation, if I know a server will always be in our hands and I want that server to pull data from our server in AWS, how should I go about doing that authentication?

kulminaator20:10:15

when you're talking server to server stuff and all your stuff is inside of aws - use instance profile & the credentials that are provided by that, everything else ends up being a worse idea

Brian20:10:20

What if my other server I not running in AWS? Would it not make sense to do that?

kulminaator21:10:20

well then you're either going to have shared credentials or a public-private key pair / certificate stuff (and the latter is definitely the better option, but only if you know what you are doing)

kulminaator21:10:40

which ever you choose - make sure they have a different path of getting to your server than your code does

kulminaator21:10:51

so you can't accidentally commit them into your repo and miss out on it

kulminaator21:10:22

europe says it's late, time to sleep 🙂 read up on how rsa based jwt or ssl client cert auth works (i guess the latter is still not support on api gw). for a good solution i'd say these are the way to go to secure your things without going custom custom

Brian21:10:37

I've never been able to find a means of authentication with Cognito using keys or certs. Is it called something special? Just a man page or something would be really helpful

kulminaator21:10:55

that being said - i'm working my way towards removing the apigw and web app lambdas from my architecture - just not worth the extra hustle

kulminaator21:10:47

you were talking server to server stuff 🙂 ... but by all the looks cognito is just something oauth-isch for enduser authentications

kulminaator21:10:33

i'm off to sleep, i guess you have to read more to navigate around in the space 🙂

Brian21:10:35

Thanks for your help!!

mj_langford21:10:13

Brian: What's wrong with keys for this situation?

mj_langford21:10:25

I feel like I missed something here

mj_langford21:10:09

Server to server you def auth via cognito

Brian21:10:59

I just haven't been able to find a single page anywhere that talks about actually doing key based authentication with Cognito. I have apigw endpoint I want to hit and it currently has an authorizer attached to a user pool. And I want a server that is 100% mine to be able to use that endpoint

mj_langford21:10:48

What you're trying to do isn't that uncommon. The Manish Pandit article looks a lot alike what we've done a few times.

timcreasy21:10:29

The Identity Pool has an IAM role for authenticated users, which allows access to other resources (in that example putting to an S3 bucket). Can authenticate a user with a user pool (or another identity provider) and then use the identity pool for authentication.

Brian21:10:38

Here they are talking directly to S3. I was hoping to use a web request with API Gateway. Would this still make sense here? It doesn't seem like it would

Brian21:10:48

@mj_langford I'd tried using the lobster server-to-server tutorial but I got errors halfway through the I wasn't sure how to solve. If you are familiar with that tutorial, might you take a look at the error I am getting?

mj_langford21:10:52

I have done this a couple times, happy to look at your error

Brian21:10:22

Firstly lets look at my request to make sure that's ok:

curl -X POST \
          https://<my-domain>. \
          -H 'authorization: Basic <4 character base64'd version of "<id>:<secret-id>"' \
          -H 'content-type: application/x-www-form-urlencoded' \
          -d 'grant_type=client_credentials&scope=transactions%2Fpost'
My base 64'd authorization is waaaay shorter than the example but that's what the echo -n 'x:y' | openssl base64 command gives me. When I run that above command, I get {"error":"invalid_client"}

Brian21:10:42

There could be some misconfigured Cognito stuff if that command looks okay

mj_langford21:10:17

invalid client = that client doesn't match.

mj_langford21:10:47

I believe you're not getting a real authorization hash from your client id and secret

mj_langford21:10:58

How long are your x and y in that?