{"id":2277,"date":"2016-10-26T14:05:28","date_gmt":"2016-10-26T21:05:28","guid":{"rendered":"http:\/\/briantroy.com\/?p=2277"},"modified":"2025-01-03T04:41:20","modified_gmt":"2025-01-03T04:41:20","slug":"series-part-4-serverless-architecture-a-practical-implementation-securing-a-serverless-rest-api","status":"publish","type":"post","link":"https:\/\/blogarchive.briantroy.com\/index.php\/2016\/10\/26\/series-part-4-serverless-architecture-a-practical-implementation-securing-a-serverless-rest-api\/","title":{"rendered":"Series – Part 4: Serverless Architecture – a practical implementation: Securing a Serverless REST API"},"content":{"rendered":"

In part three of the series<\/a> I discussed creating a serverless REST API – using Lambda and API Gateway – to serve the collected IoT data from the security camera devices.<\/p>\n

In this post I will cover securing the REST API.<\/p>\n

<\/p>\n

As a review, the image below provides an overview of the serverless web application that will be implemented using this REST API:<\/p>\n

\"serverless-app-arch-001\"<\/p>\n

Securing the REST API<\/h1>\n

The API we created in part three needs to be secured to ensure that the videos – and the metadata about those videos – is inaccessible to API users who haven’t been granted access. As importantly, I didn’t want to inject a server to manage user accounts and rights, nor did I want to take on managing another set of user accounts.<\/p>\n

The solution: Google Authentication API<\/a><\/p>\n

I won’t go into significant detail in this post (I will, however, in the next) about implementing the configuration and javascript to authenticate a user with Google and obtain a user token – but suffice it to say once we have the token we can pass it to the REST API and use that to allow\/disallow access.<\/p>\n

Note: I did look at Cognito<\/a>, but it seemed like overkill for my purposes.<\/p>\n

Creating a API Gateway\u00a0Custom Authenticator<\/h2>\n

This is a relatively straightforward process since we will be using a Lambda function as our custom authenticator. So, step one is the creation of another Lambda function using this code from GitHub<\/a>.<\/p>\n

Custom Authenticator Functionality<\/h3>\n

The custom authenticator does 3 things. First it gets the token sent by the client and makes a HTTP request to google to validate the token and get the user’s information:<\/p>\n

    # Get the user info from Google for the recieved token...\n    id_token = event['authorizationToken']\n    google_token_helper_uri = \"https:\/\/www.googleapis.com\/oauth2\/v3\/tokeninfo?id_token=\" + id_token\n\n    result = json.loads(urllib2.urlopen(google_token_helper_uri).read())\n\n    domain = result['hd']\n    user = result['sub']\n    effect = 'Deny'\n<\/pre>\n
It also sets the default effect to “Deny” – meaning the user will not be allowed access.<\/p>\n
The second thing it does is compare some of the user information to a whitelist. In my case I’m granting access to everyone in the\u00a0brianandkelly.ws<\/em> domain.<\/p>\n
    allowed_domain = \"brianandkelly.ws\"\n    if domain == allowed_domain:\n        effect = 'Allow'\n<\/pre>\n
This is very simple<\/em>. This can easily be extended to have a more complex whitelist – including a dynamic one stored in DynamoDB, ActiveDirectory, OpenLDAP or any other backing store.<\/p>\n
Third, the authenticator constructs an IAM Policy which either allows or denies access – based on the value of the effect <\/em>variable – and returns that policy to API Gateway:<\/em><\/p>\n
    respond = {\n        \"principalId\": user,\n        \"policyDocument\": {\n            \"Version\": \"2012-10-17\",\n            \"Statement\": [\n                {\n                    \"Action\": \"execute-api:Invoke\",\n                    \"Effect\": effect,\n                    \"Resource\": \"arn:aws:execute-api:us-east-1:*:!!your api info!!*\"\n                }\n            ]\n        }\n    }\n\n    return respond\n<\/pre>\n
In the script itself you’ll need to replace !!your api info!!<\/em> with information from the heading of the API Gateway screen:<\/p>\n
\"screen-shot-2016-10-25-at-6-36-33-pm\"<\/p>\n
The format is:<\/p>\n
part in parenthesis\/api name - part before parenthisis<\/pre>\n
in my\u00a0case:<\/p>\n
\"Resource\": \"arn:aws:execute-api:us-east-1:*:7k8o0sgjli\/securityvideos\/*\"<\/pre>\n
I won’t go into detail about creating this function (we’ve done several in the series) but here is how mine looks fully configured:<\/p>\n
\"screen-shot-2016-10-25-at-6-21-58-pm\"
Authenticator Lambda Function<\/figcaption><\/figure>\n
Using the existing IAM role we created for the other REST API Lambda Functions will work fine.<\/p>\n
You should note that this Lambda Function has no Trigger – since it will be called by API Gateway once we apply the lambda function as a custom authorizer.<\/p>\n
Applying the Custom Authenticator to your REST API<\/h3>\n
The first step is to tell API Gateway to use the Lambda Function as an Authorizer. Click on Authorizers under the API:<\/p>\n
\"Screen
Adding Authorizer<\/figcaption><\/figure>\n
Now select “Create” on the right and select “Custom Authorizer”<\/p>\n
\"Screen
Custom Authorizer<\/figcaption><\/figure>\n
In the “Update Custom Authorizer” screen select the region your Lambda function is deployed in, the name of the function\u00a0and give the authorizer a name.<\/p>\n
You can leave the default\u00a0method.request.header.Authorization<\/em> value in the “Identity token source” field. We will discuss how to set the header in the next post in this series. I strongly recommend that you set “Result TTL in seconds” to a value\u00a0no less than 300.<\/em> This is \u00a0important for both the performance of your API and to avoid sending excessive requests to Google.<\/p>\n
\"Screen
Authorizer Configuration<\/figcaption><\/figure>\n
Finally, you will need to apply the authenticator to all the active methods of your API (or at least the ones you want secure):<\/p>\n
\"Screen
Auth setting for a GET Method<\/figcaption><\/figure>\n
You can do that by clicking on “Method Request” and setting the authenticator as follows:<\/p>\n
\"Screen<\/p>\n
NOTE: You should NOT apply the authenticator to the OPTIONS method. That method is used for CORS and should not be secured.<\/p>\n
Deploying the REST API<\/h1>\n
Once you’ve done that for all the resources you can deploy your API – which will make it available. API Gateway uses “Stage” to denote various types of deployments for your API. You can use these stages to have separate DEV\/QA and production stages for your API.<\/p>\n
To deploy your API select the root of the resource tree and select “Actions” -> “Deploy API”:<\/p>\n
\"screen-shot-2016-10-25-at-6-56-45-pm\"
API Deployment<\/figcaption><\/figure>\n
In the “Deploy API” dialog select “[New Stage]”:<\/p>\n
\"screenshot-2016-10-26-13-08-21\"
New Stage from Deploy<\/figcaption><\/figure>\n
You can then give your stage a name (note: this will appear in the URI), description and a deployment description:<\/p>\n
\"screenshot-2016-10-26-13-08-45\"
Creating Deploy Stage & Deploying API<\/figcaption><\/figure>\n
Pressing the “Deploy” button completes the process. You should see a stage editor similar to the following:<\/p>\n
\"screenshot-2016-10-26-13-16-29\"
Deployment Stage Editor<\/figcaption><\/figure>\n
I strongly recommend you tick the boxes for “Enable CloudWatch Logs” and “Enable Detailed CloudWatch Metrics” at the beginning as this will make the logging to CloudWatch verbose enough for you to troubleshoot any issues that arise.<\/p>\n
At the top of the stage editor you will find the URI to your new API. You should visit this URI and make sure you are denied access!<\/p>\n
Last, but not least, you can test your new API using Postman or Swagger by exporting the API in those formats on the “Export” tab:<\/p>\n
\"screenshot-2016-10-26-13-16-29\"
Exporting Swagger or Postman API Specification<\/figcaption><\/figure>\n
AWS provides some helpful documentation for testing your API with Postman here<\/a>. In order to access the API and test it with Postman you’ll need a valid google account and a way to get a valid id_token. This will be discussed in detail in part five of this series when we implement the web application using this API. That being said, if you’d like to jump ahead check out the google documentation<\/a> and my GitHub repository containing the web application code<\/a> (the most interesting bit for getting a google id_token is found in init.js<\/a>).<\/p>\n
Summary<\/h1>\n
We now have fully secured and deployed the REST API created in part three\u00a0of the series<\/a>. In part five of the series we will discuss the application built over this API and how to deploy that application serverless.<\/p>\n","protected":false},"excerpt":{"rendered":"
In part three of the series I discussed creating a serverless REST API – using Lambda and API Gateway – to serve the collected IoT data from the security camera devices. In this post I will cover securing the REST API.<\/p>\n","protected":false},"author":1,"featured_media":1744,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,11,18,19,28],"tags":[236,249],"_links":{"self":[{"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/posts\/2277"}],"collection":[{"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/comments?post=2277"}],"version-history":[{"count":2,"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/posts\/2277\/revisions"}],"predecessor-version":[{"id":3326,"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/posts\/2277\/revisions\/3326"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/media\/1744"}],"wp:attachment":[{"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/media?parent=2277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/categories?post=2277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogarchive.briantroy.com\/index.php\/wp-json\/wp\/v2\/tags?post=2277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}