AMAZON API Gateway(1)Feel of API Gateway

AMAZON API Gateway(1)Feel of API Gateway

1 Feeling about AMAZON API Gateway
Login in my amazon account and go to [Amazon API Gateway]

Create API

Under ROOT of Resource /, Choose [Create Resource]

Type “petstorewalkthrough” for demo —> [Create Resource], under “petstorewalkthrough”, create a sub resource named “pets"

Create the third resource under pets, using name as petid, the path will be /petstorewalkthrough/pets/{petid}

After all these, we have the resources, we need to create the methods on top of that.

Click on /petstorewalkthrough/pets/GET, choose [HTTP Proxy] —> Endpoint URL “http://petstore-demo-endpoint.execute-api.com/petstore/pets"

In the [Method Execution] Panel, choose [Method Request] —> [URL Query String Parameters] —> Add query string

Add query string “petType”, “petsPage"

[Method Execution] —> [Integration Request] —> [URL Query String Parameters]
type —> method.request.querystring.petType
page—> method.request.querystring.petsPage

Click the Test Button in [Method Execution] Panel     petType=cat, petsPage = 2

skips the single get, post and other demo, I already understand the idea.

[Deploy API]

Go to the Stages editor page, there is a Invoke URL like https://my-api-id.execute-api.region-id.amazonaws.com/test and this URL will works
https://my-api-id.execute-api.region-id.amazonaws.com/test/petstorewalkthrough/pets

Some Limits from AMAZON
https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html

60 APIs maximum per account
60 client certificates per account
300 resources perl API
10 stages maximum per API
10 second timeout, this limit can not be changed.
500 requests per second per account for all the API under this account. Bursts of up to 1,000 request per second.

2 Authentication
API keys typically appropriate for a service to service interaction, putting a long lived secret on a client is risky.
AWS IAM is solution for clients. SAML and Auth0 SAML. Auth0 delegation with AWS IAM and then later step by adding an identity token to flow identity to my service layer.

API Key is simple, we can create  [Create API Key] and select the API and stages.
http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-api-keys.html

[Method Execution] —> Authorization Settings —> API Key Required

Redeploy that to Stage - Test

I get response
{
    "message": "Forbidden"
}

If I put x-api-key there, it will work.

Auth0
https://auth0.com/docs/integrations/aws-api-gateway/part-2

http://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html

https://auth0.com/

https://auth0.com/docs/integrations/aws

Create my auth0 domain name
sillycat.auth0.com

Login Auth0 and [NEW APP/API] in Dashboard —> Create Application named “AWS API Gateway"

[Settings] —> [Addons] —> Turn On AMAZON WEB SERVICE

https://auth0.com/docs/aws-api-setup

Follow the document and go to the IAM Console https://console.aws.amazon.com/iam/home#home

Identity Providers —> Create Provider
SAML and auth0-provider

Download the metadata file from URL https://sillycat.auth0.com/samlp/metadata/key

Not finished yet because of lack of IAM knowledge.

3 Limit Access
This can be set on the method level or the API level.

4 Cache
Cache can be on method level, we can set up the cache key and TTL.

5 API Gateway with EC2
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-aws-proxy.html

Create the AWS Service Proxy Execution Role
Login in IAM, choose Policies
https://console.aws.amazon.com/iam/home#policies

Create Policy —> Create Your Own Policy
Policy Name - APIGatewayAWSProxyExecPolicy

Policy Document
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": [
        "*"
      ],
      "Action": [
        "sns:ListTopics"
      ]
    }
  ]
}

It is not what I wants.

6 Authenticate Access to Backend Systems with Client-side SSL
https://aws.amazon.com/about-aws/whats-new/2015/09/authenticate-access-to-your-backend-systems-with-client-side-ssl-certificates-in-amazon-api-gateway/

http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

var options = {
        ca:     fs.readFileSync('ssl/ca.crt'),
        requestCert:        true,
        rejectUnauthorized: false
};
https.createServer(options, function (req, res) {

NodeJS
http://nategood.com/nodejs-ssl-client-cert-auth-api-rest

Nginx
http://nategood.com/client-side-certificate-authentication-in-ngi

Playframework
https://www.playframework.com/documentation/2.4.3/ConfiguringHttps

http://stackoverflow.com/questions/21220101/ssl-tls-support-in-play-2-2-1

https://github.com/typesafehub/activator-play-tls-example

http://stackoverflow.com/questions/31945955/play-framework-https-sslengineprovider-override

Amazon
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-create-https-ssl-load-balancer.html

References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html

https://auth0.com/docs/integrations/aws-api-gateway

http://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html