Date post: | 15-Jan-2017 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 322 times |
Download: | 0 times |
Workshop: Designing and Managing Scalable APIs
AWS London Loft
25th April 2016
Agenda
• API Design Best-PracticesNicolas Grenié & Manfred Bortenschlager – 3Scale
• Intro to Amazon API Gateway and AWS LambdaMatt McClean – AWS
• 3scale API Management Nicolas Grenié & Manfred Bortenschlager – 3Scale
• API Gateway and AWS Lambda Exercise• 3Scale Exercise
Building Secure Serverless Microservices with Amazon API
Gateway and AWS Lambda
Matt McClean, AWS Solutions ArchitectApril 2016
What to Expect from the Session
1. A new, fully-managed development model2. Declare an API with Amazon API Gateway3. Application logic in AWS Lambda4. Register and login API with Amazon Cognito5. Authorization with AWS IAM6. Generate and connect the Client SDK
Managed
A new, fully managed model
Internet AWS Lambda functions
AWS
API Gateway cache
Endpoints on Amazon EC2
Any other publicly accessible endpoint
Amazon CloudWatch
Amazon CloudFront
API Gateway
API GatewayOther AWS
services
AWS Lambda functions
Web Client
Key takeaways
AWS Lambda + Amazon API Gateway means no infrastructure to manage – we scale for you
Security is important, and complex – make the most of AWS Identity and Access Management
Swagger import and client SDK – we can automate most workflows
The services we are going to use
Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB
Host the API and route API calls
Execute our app’s business logic
Generate temporary AWS credentials
Data store
The pet store architecture
Unauthenticated
API call flows
AWS Lambda lambdaHandler
Register
LoginAPI Gateway
Authenticated
AWS Lambda lambdaHandler
ListPets
GetPet
API Gateway
Assume Role
CreatePet
Sigv4 Invoke with caller credentials
Authorized by IAM
Web Client
Web Client
What’s new?
The application can use lots of servers, and I don’t need to manage a single one.
Authorization of API calls is delegated to AWS. We just need to focus on our IAM roles.
Deployment of the API is automated using Swagger.
API definition and Swagger
Amazon API Gateway overview
Manage deployments to multiple versions and
environments
Define and host APIs
Leverage Identity and Access Management to authorize access to your
cloud resources
Leverage AWS Auth
DDoS protection and request throttling to
safeguard your back end
Manage network traffic
Method and integration
Resources and methods
• POST – Registers a new user in our DynamoDB table/users
• POST – Receives a user name and password and authenticates a user/login
• POST – Creates a new pet in the database
• GET – Retrieves a list of pets from the database
/pets
• GET – Retrieves a pet by its ID/pets/{petId}
Unauthenticated
Authenticated
Method Response
Integration Request
Method Request
Method
Automating the workflow with Swagger
/users: post: summary: Registers a new user consumes: - application/json produces: - application/json parameters: - name: NewUser in: body schema: $ref: '#/definitions/User’ x-amazon-apigateway-integration: type: aws uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31... credentials: arn:aws:iam::964405213927:role/pet_store_lambda_invoke ... responses: 200: schema: $ref: '#/definitions/RegisterUserResponse'
Benefits of using Swagger
• API definitions live in our source repository with the rest of the app.
• They can be used with other utilities in the Swagger toolset (for example, documentation generation).
• API can be imported and deployed in our build script via AWS CLI.
Request routing and exceptions
High performance at any scale; Cost-effective and efficient
No Infrastructure to manage
Pay only for what you use: Lambda automatically matches capacity to
your request rate. Purchase compute in 100ms increments.
Bring Your Own Code
Lambda functions: Stateless, trigger-based code execution
Run code in a choice of standard languages. Use threads, processes,
files, and shell scripts normally.
Focus on business logic, not infrastructure. You upload code; AWS
Lambda handles everything else.
AWS Lambda Overview
The Lambda handler
lambdaHandler in our Java
source
Register action
Login action
Create Pet action
Get Pet action
Credentials generation
Pet store database
Amazon API Gateway
Integration request
Exception to HTTP statusRegister action
Login action
Create Pet action
Get Pet action
BadRequestExceptionBAD_REQUEST +
Stack Trace
InternalErrorExceptionINTERNAL_ERROR +
Stack TracelambdaHandler
in our Java source
Amazon API Gateway
responses: "default": statusCode: "200" "BAD.*": statusCode: "400" "INT.*": statusCode: "500"
Mapping templates are a powerful tool
Learn more about mapping templates in our docs
http://amzn.to/1L1hSF5
Retrieving AWS credentials
Amazon Cognito overview
Manage authenticated and guest users across identity
providers
Identity management
Synchronize users’ data across devices and
platforms via the cloud
Data synchronization
Securely access AWS services from mobile devices and platforms
Secure AWS access
The API definition• POST
• Receives a user name and password• Encrypts the password and creates the user
account in DynamoDB• Calls Amazon Cognito to generate
credentials• Returns the user + its credentials
/users
• POST• Receives a user name and password• Authenticates the user against the
DynamoDB database• Calls Amazon Cognito to generate
credentials• Returns a set of temporary credentials
/login
Retrieving temporary AWS credentials
Call Login API, no auth required
Client API Gateway Backend
/login Login action
User accounts database
Credentials verified
Get OpenID token for developer
identity
Receives credentials to sign API calls
Identity ID + token
Get credentials for identity
Access key + secret key +
session token
/login
1.
2.
3.
Authorizing API calls
The Pets resources require authorization• POST
• Receives a Pet model• Saves it in DynamoDB• Returns the new Pet ID
• GET• Returns the list of Pets stored in
DynamoDB
/pets
• GET• Receives a Pet ID from the path• Uses mapping templates to pass the path
parameter to the Lambda function• Loads the Pet from DynamoDB• Returns a Pet model
/pets/{petId}
Using the caller credentials
credentials:
arn:aws:iam::*:user/*
Using the console Using Swagger
The IAM role defines access permissions{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "lambda:InvokeFunction", "execute-api:invoke" ], "Resource": [ "arn:aws:dynamodb:us-east-1:xxxxxx:table/test_pets", "arn:aws:lambda:us-east-1:xxxxx:function:PetStore”, "arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/pets" ] } ]}
The role allows calls to:• DynamoDB• API Gateway• Lambda
The role can access specific resources in these services
One step further: Fine-grained access permissions
InternetClient
API Gateway
AWS Lambda functions
Amazon CloudFront
DynamoDB
CognitoId2
…"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [”${cognito-identity.amazonaws.com:sub}"], "dynamodb:Attributes": [ "UserId","GameTitle","Wins","Losses", "TopScore","TopScoreDateTime” ] }, "StringEqualsIfExists": { "dynamodb:Select": "SPECIFIC_ATTRIBUTES” }}…
Executes with this role
UserID Wins Losses
cognitoId1 3 2
cognitoId2 5 8
cognitoId3 2 3
The credentials and context (Cognito ID) are passed along
Both AWS Lambda & DynamoDB will follow the access policy
Authenticated flow in depth
Mobile apps AWS Lambda lambdaHandlerAPI Gateway
Sigv4 Invoke with caller credentials
Service calls areauthorized using
the IAM role
Learn more about fine-grained access permissions
http://amzn.to/1YkxcjR
DynamoDB
Benefits of using AWS auth & IAM
• Separation of concerns – our authorization strategy is delegated to a dedicated service
• We have centralized access management to a single set of policies
• Roles and credentials can be disabled with a single API call
AWS credentials on the client
1-click SDK generation from the console
Questions?
Lab Exercise: Pet Shop
Follow steps outlined here: http://bit.ly/1VxeHJg