本文通过实战演示如何使用Amazon API Gateway创建API资源及方法,并配置请求参数映射、部署阶段等。介绍了API网关的限制条件及认证授权方式,包括API Key与Auth0集成。
AMAZON API Gateway(1)Feel of API Gateway
1 Feeling about AMAZON API Gateway
Login in my amazon account and go to [Amazon API Gateway]
Create API
Under ROOT of Resource /, Choose [Create Resource]
Type “petstorewalkthrough” for demo —> [Create Resource], under “petstorewalkthrough”, create a sub resource named “pets"
Create the third resource under pets, using name as petid, the path will be /petstorewalkthrough/pets/{petid}
After all these, we have the resources, we need to create the methods on top of that.
Click on /petstorewalkthrough/pets/GET, choose [HTTP Proxy] —> Endpoint URL “http://petstore-demo-endpoint.execute-api.com/petstore/pets"
In the [Method Execution] Panel, choose [Method Request] —> [URL Query String Parameters] —> Add query string
Add query string “petType”, “petsPage"
[Method Execution] —> [Integration Request] —> [URL Query String Parameters]
type —> method.request.querystring.petType
page—> method.request.querystring.petsPage
Click the Test Button in [Method Execution] Panel petType=cat, petsPage = 2
skips the single get, post and other demo, I already understand the idea.
[Deploy API]
Go to the Stages editor page, there is a Invoke URL like https://my-api-id.execute-api.region-id.amazonaws.com/test and this URL will works
https://my-api-id.execute-api.region-id.amazonaws.com/test/petstorewalkthrough/pets
Some Limits from AMAZON
https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html
60 APIs maximum per account
60 client certificates per account
300 resources perl API
10 stages maximum per API
10 second timeout, this limit can not be changed.
500 requests per second per account for all the API under this account. Bursts of up to 1,000 request per second.
2 Authentication
API keys typically appropriate for a service to service interaction, putting a long lived secret on a client is risky.
AWS IAM is solution for clients. SAML and Auth0 SAML. Auth0 delegation with AWS IAM and then later step by adding an identity token to flow identity to my service layer.
API Key is simple, we can create [Create API Key] and select the API and stages.
http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-api-keys.html
[Method Execution] —> Authorization Settings —> API Key Required
Redeploy that to Stage - Test
I get response
{
"message": "Forbidden"
}
If I put x-api-key there, it will work.
Auth0
https://auth0.com/docs/integrations/aws-api-gateway/part-2
http://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html
https://auth0.com/
https://auth0.com/docs/integrations/aws
Create my auth0 domain name
sillycat.auth0.com
Login Auth0 and [NEW APP/API] in Dashboard —> Create Application named “AWS API Gateway"
[Settings] —> [Addons] —> Turn On AMAZON WEB SERVICE
https://auth0.com/docs/aws-api-setup
Follow the document and go to the IAM Console https://console.aws.amazon.com/iam/home#home
Identity Providers —> Create Provider
SAML and auth0-provider
Download the metadata file from URL https://sillycat.auth0.com/samlp/metadata/key
Not finished yet because of lack of IAM knowledge.
3 Limit Access
This can be set on the method level or the API level.
4 Cache
Cache can be on method level, we can set up the cache key and TTL.
5 API Gateway with EC2
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-aws-proxy.html
Create the AWS Service Proxy Execution Role
Login in IAM, choose Policies
https://console.aws.amazon.com/iam/home#policies
Create Policy —> Create Your Own Policy
Policy Name - APIGatewayAWSProxyExecPolicy
Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"sns:ListTopics"
]
}
]
}
It is not what I wants.
6 Authenticate Access to Backend Systems with Client-side SSL
https://aws.amazon.com/about-aws/whats-new/2015/09/authenticate-access-to-your-backend-systems-with-client-side-ssl-certificates-in-amazon-api-gateway/
http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
var options = {
ca: fs.readFileSync('ssl/ca.crt'),
requestCert: true,
rejectUnauthorized: false
};
https.createServer(options, function (req, res) {
NodeJS
http://nategood.com/nodejs-ssl-client-cert-auth-api-rest
Nginx
http://nategood.com/client-side-certificate-authentication-in-ngi
Playframework
https://www.playframework.com/documentation/2.4.3/ConfiguringHttps
http://stackoverflow.com/questions/21220101/ssl-tls-support-in-play-2-2-1
https://github.com/typesafehub/activator-play-tls-example
http://stackoverflow.com/questions/31945955/play-framework-https-sslengineprovider-override
Amazon
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-create-https-ssl-load-balancer.html
References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
https://auth0.com/docs/integrations/aws-api-gateway
http://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html
1 Feeling about AMAZON API Gateway
Login in my amazon account and go to [Amazon API Gateway]
Create API
Under ROOT of Resource /, Choose [Create Resource]
Type “petstorewalkthrough” for demo —> [Create Resource], under “petstorewalkthrough”, create a sub resource named “pets"
Create the third resource under pets, using name as petid, the path will be /petstorewalkthrough/pets/{petid}
After all these, we have the resources, we need to create the methods on top of that.
Click on /petstorewalkthrough/pets/GET, choose [HTTP Proxy] —> Endpoint URL “http://petstore-demo-endpoint.execute-api.com/petstore/pets"
In the [Method Execution] Panel, choose [Method Request] —> [URL Query String Parameters] —> Add query string
Add query string “petType”, “petsPage"
[Method Execution] —> [Integration Request] —> [URL Query String Parameters]
type —> method.request.querystring.petType
page—> method.request.querystring.petsPage
Click the Test Button in [Method Execution] Panel petType=cat, petsPage = 2
skips the single get, post and other demo, I already understand the idea.
[Deploy API]
Go to the Stages editor page, there is a Invoke URL like https://my-api-id.execute-api.region-id.amazonaws.com/test and this URL will works
https://my-api-id.execute-api.region-id.amazonaws.com/test/petstorewalkthrough/pets
Some Limits from AMAZON
https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html
60 APIs maximum per account
60 client certificates per account
300 resources perl API
10 stages maximum per API
10 second timeout, this limit can not be changed.
500 requests per second per account for all the API under this account. Bursts of up to 1,000 request per second.
2 Authentication
API keys typically appropriate for a service to service interaction, putting a long lived secret on a client is risky.
AWS IAM is solution for clients. SAML and Auth0 SAML. Auth0 delegation with AWS IAM and then later step by adding an identity token to flow identity to my service layer.
API Key is simple, we can create [Create API Key] and select the API and stages.
http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-api-keys.html
[Method Execution] —> Authorization Settings —> API Key Required
Redeploy that to Stage - Test
I get response
{
"message": "Forbidden"
}
If I put x-api-key there, it will work.
Auth0
https://auth0.com/docs/integrations/aws-api-gateway/part-2
http://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html
https://auth0.com/
https://auth0.com/docs/integrations/aws
Create my auth0 domain name
sillycat.auth0.com
Login Auth0 and [NEW APP/API] in Dashboard —> Create Application named “AWS API Gateway"
[Settings] —> [Addons] —> Turn On AMAZON WEB SERVICE
https://auth0.com/docs/aws-api-setup
Follow the document and go to the IAM Console https://console.aws.amazon.com/iam/home#home
Identity Providers —> Create Provider
SAML and auth0-provider
Download the metadata file from URL https://sillycat.auth0.com/samlp/metadata/key
Not finished yet because of lack of IAM knowledge.
3 Limit Access
This can be set on the method level or the API level.
4 Cache
Cache can be on method level, we can set up the cache key and TTL.
5 API Gateway with EC2
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-aws-proxy.html
Create the AWS Service Proxy Execution Role
Login in IAM, choose Policies
https://console.aws.amazon.com/iam/home#policies
Create Policy —> Create Your Own Policy
Policy Name - APIGatewayAWSProxyExecPolicy
Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"sns:ListTopics"
]
}
]
}
It is not what I wants.
6 Authenticate Access to Backend Systems with Client-side SSL
https://aws.amazon.com/about-aws/whats-new/2015/09/authenticate-access-to-your-backend-systems-with-client-side-ssl-certificates-in-amazon-api-gateway/
http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
var options = {
ca: fs.readFileSync('ssl/ca.crt'),
requestCert: true,
rejectUnauthorized: false
};
https.createServer(options, function (req, res) {
NodeJS
http://nategood.com/nodejs-ssl-client-cert-auth-api-rest
Nginx
http://nategood.com/client-side-certificate-authentication-in-ngi
Playframework
https://www.playframework.com/documentation/2.4.3/ConfiguringHttps
http://stackoverflow.com/questions/21220101/ssl-tls-support-in-play-2-2-1
https://github.com/typesafehub/activator-play-tls-example
http://stackoverflow.com/questions/31945955/play-framework-https-sslengineprovider-override
Amazon
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-create-https-ssl-load-balancer.html
References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
https://auth0.com/docs/integrations/aws-api-gateway
http://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html
扫一扫
1942
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
