AWS IAM API访问密钥/密钥授权的云信息帮助
我们目前正在使用API密钥来保护对API网关的访问。然而,我们正在转向具有访问/密钥的IAM模型。我知道swagger不允许我们这样做(我们目前在swagger中设置了api_key以启用api密钥身份验证)。
我已经创建了各种操作所需的策略,如下所示:
SvcAccountPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub 'iam-${EnvTag}'
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'execute-api:Invoke'
Resource:
- !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${SomeApi}/*/GET/*'
- !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${SomeApi}/*/POST/*'
- !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${SomeApi}/*/PUT/*'
- !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${SomeApi}/*/DELETE/*'
Users:
- !Ref userSvcAcct
我的lambda函数如下所示。我仍然是云形成的新手,并且希望得到一些关于我可以做些什么来添加lambda授权器的帮助(我相信它会在事件中-
FtpUserMgmtLambda:
Type: AWS::Serverless::Function
Properties:
Description: Lambda handler function for FTP user management
Handler: 'handler.UserManagementHandler::handleRequest'
Runtime: java8
MemorySize: 512
Timeout: 300
FunctionName: !Ref LambdaFunctionName
Role: !GetAtt UserMgmtLambdaRole.Arn
CodeUri:
Bucket: !Ref LambdaCodeS3Bucket
Key: !Ref LambdaCodeFileName
VpcConfig:
SomeConfig stuff here
Environment:
Variables:
dbPort: !Ref UserStoreDbPort
dbUser: !Ref UserStoreDbUserId
dbName: !Ref UserStoreDbName
environment: !Ref EnvTag
basepath: 'somepath'
Events:
ApiPost:
Type: Api
Properties:
RestApiId: !Ref SomeApi
Path: /path
Method: POST
Auth: <<Dont know what to do here! HELP>>
ApiGet:
Type: Api
Properties:
RestApiId: !Ref SomeApi
Path: /path
Method: GET
Auth: *<<Dont know what to do here! HELP>>*
Tags:
Name: !Ref LambdaFunctionName
function: lambda function that manages ftp users
共有1个答案
通过大摇大摆解决了这个问题。示例代码如下:
---
swagger: "2.0"
info:
version: "2017-10-17T17:47:44Z"
title: "User-Mgt-API"
basePath: "/${environment}"
schemes:
- "https"
paths:
/ftpuser:
post:
x-amazon-apigateway-auth:
type: aws_iam
produces:
- "application/json"
responses:
200:
description: "When create user request successful"
schema:
$ref: "#/definitions/Empty"
400:
description: "When API vallidation error happens"
schema:
$ref: "#/definitions/Empty"
x-amazon-apigateway-integration:
responses:
default:
statusCode: "200"
uri:
Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${FtpUserMgmtLambda.Arn}/invocations
passthroughBehavior: "when_no_match"
httpMethod: "POST"
contentHandling: "CONVERT_TO_TEXT"
type: "aws_proxy"
definitions:
Empty:
type: "object"
title: "Empty Schema"
然后在云形式中,将以下内容添加到无服务器 API 定义中以处理 swagger 文件。答案是肯定的
FtpUserMgmtApi:
Type: AWS::Serverless::Api
Properties:
Name: !Ref ApiName
StageName: !Ref ApiDeploymentStageName
DefinitionBody:
Fn::Transform:
Name: AWS::Include
Parameters:
Location: !Sub s3://${swaggerS3Location}
希望这有帮助。在web上还有一个使用x-amazon-apigateway-any-method的示例,我使用该方法得出了上述结果。链接在这里。
-
Object授权 点击Object的属性管理 Object读权限授予某个云密钥帐号 其中Grantee是生成新的云密钥生成的AppID 如果是使用新版生态云,Grantee参考下图(填写"CI"加上用户组ID) 把Object设置为所有人可以下载 FDS中两个特殊的grantId: ALL_USERS:所有访问者 AUTHENTICATED_USERS:所有通过认证的访问(密钥认证/预签名认证/O
-
我正在开发一个将文件上传到Azure存储的.NET应用程序。我正在利用https://azure.microsoft.com/en-us/documentation/articles/storage-encrypt-decrypt-blobs-key-vault/教程中所做的客户端加密 应用程序工作,即,我可以成功地上传一个加密的blob到一个选定的存储帐户和容器。 但是,我对RSA密钥的安全性有
-
Using a delegation key The collaborator can now push to the repository using Docker Content Trust. Docker will automatically choose and pick the right key for the targets/release role. Edit the file o
-
我试图编译代码时遇到了这个异常。我已经安装了eclips工具包,我正在使用EclipseKepler 异常线程"main"java.lang.NoClassDefFoundError: org/apache/共用/日志/LogFactory在com.amazonaws.Amazon WebServiceClient.(Amazon WebServiceClient.java:56)在test_to
-
有没有办法在Firebase控制台中重新生成FCM(云消息部分)的API Key?该密钥不可编辑,与Google API控制台中自动生成的密钥不同。由于这个错误的配置,我总是从FCM得到未经授权的401...