Fork me on GitHub
#datomic
<
2022-02-04
>
neilprosser11:02:56

I had a search in this channel but couldn't find anything which looked like it matched. Does anyone know the answer to this question: https://ask.datomic.com/index.php/651/authenticate-authorize-access-gateway-endpoints-datomic? We're successfully using IAM Authorizers against our Ion Gateway APIs in Cloud but I've hit the same problem trying to do the same thing for a Client API Gateway.

neilprosser15:02:08

So when the Client and Ion API Gateways have just been created they're open to the world on the execute-api URL. I've added an IAM authorizer to the API Gateway and then had to start signing my requests which we're making via an HTTP client from Google Cloud. I tried the same thing on a Client Gateway and I get a 403 while the client is attempting to retrieve the S3 auth details (judging by the stack trace). Should I not have to do that?

neilprosser15:02:15

Have I just made things more difficult for myself by adding the IAM authorizer to the Client API Gateway and everything is secure without it?

Jarrod Taylor (Clojure team)18:02:21

Could you provide more details about what you are concerned about being open to the world?

neilprosser19:02:45

I just switched ClientApi to yes in a query group. If I curl ClientApiGatewayEndpoint (taken from the CloudFormation outputs) straight after creation of the Client API Gateway I can see {:s3-auth-path "system-blahblahblah"}. If I switch on an IAM Authorizer I see {"message":"Forbidden"} via curl which makes sense since I'm not signing the request. However at this point using the Client API from the library I go from being able to get a client locally using my AWS creds in environment variables to getting a 403 (stacktrace points to datomic.client.impl.cloud$get_s3_auth_path.invokeStatic (cloud.clj:179)). My concern was that before the IAM Authorizer was switched on that root path on the Client API Gateway is open. I just wanted to confirm that we don't need the IAM Authorizer and it's fine because that first resource is publicly available but subsequent requests are using my credentials.

neilprosser19:02:47

Since I have no idea about the other paths the client is querying I took it that that root path being open meant everything else was open. We've been using Ions via API Gateway and after upgrading to 884 had to add IAM Authorizers to those to prevent them being unauthenticated which looks like it was the default state.

Jarrod Taylor (Clojure team)02:02:29

As the docs say All Client API requests to Datomic Cloud use SSL, and authenticate via AWS HMAC-SHA256 signatures. so no additional auth is required for the client. The ion gateway is the part that is up to you. No decisions have been made for you there and you can configure authentication (or not) for what you build and deploy there as needed. I wrote a http://www.jarrodctaylor.com/posts/Cognito-Authentication-For-Datomic-Cloud/ post covering some ways of accomplishing that

neilprosser09:02:59

Thanks for confirming. Maybe makes sense to post something official as an answer to that question I linked at the top if two people have independently gone down the same unnecessary path.

👍 1