问题
I am trying to test authenticated API gateway endpoint from rest client. How to I generate/set the "AWS_IAM" authorization headers when making the request ?
回答1:
You can use Cognito with a "public" pool id, then attach role to the Cognito pool id, the role being accessing your API GATEWAY
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'REGION:YOUR_POOL_ID',
});
Use AWS STS to get temporary credentials with limited privileges. After that you can use API Gateway with AWS_IAM authentication
The generated SDK accepts AMI credentials, you have to initiate the client with the one you got from STS:
var apigClient = apigClientFactory.newClient({
accessKey: 'ACCESS_KEY',
secretKey: 'SECRET_KEY',
sessionToken: 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
region: 'eu-west-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
});
NB: Put strictly minimum roles on your pool, that is a publicly available id, every body can use it to get a temporary or a fixed (to track users across devices) user_/app_ id.
Update April 2016: For Christine comment's: Documentation on how to use STS.
TL;DR: Basically after your Identity provider calls you back (Google, in my case), you will have a Token (OpenID, in my case), just feed it to STS:
AWS.config.credentials = new AWS.WebIdentityCredentials({
RoleArn: 'arn:aws:iam::<AWS_ACCOUNT_ID>:role/<WEB_IDENTITY_ROLE_NAME>',
ProviderId: 'graph.facebook.com|www.amazon.com', // Omit this for Google
WebIdentityToken: ACCESS_TOKEN
});
回答2:
You'd have to replicate API Gateway AWS v4 request signature logic to be able to do that. Ideally you should look at the the generated Javascript/Java SDK for your API to get an idea on how these request signatures get calculated. I suggest you turn the authentication off for your testing requests.
来源:https://stackoverflow.com/questions/32833331/api-gateway-how-to-pass-aws-iam-authorization-from-rest-client