Workshop: Designing and Managing Scalable APIs

AWS London Loft

25th April 2016

Agenda

• API Design Best-PracticesNicolas Grenié & Manfred Bortenschlager – 3Scale

• Intro to Amazon API Gateway and AWS LambdaMatt McClean – AWS

• 3scale API Management Nicolas Grenié & Manfred Bortenschlager – 3Scale

• API Gateway and AWS Lambda Exercise• 3Scale Exercise

Building Secure Serverless Microservices with Amazon API

Gateway and AWS Lambda

Matt McClean, AWS Solutions ArchitectApril 2016

What to Expect from the Session

1. A new, fully-managed development model2. Declare an API with Amazon API Gateway3. Application logic in AWS Lambda4. Register and login API with Amazon Cognito5. Authorization with AWS IAM6. Generate and connect the Client SDK

Managed

A new, fully managed model

Internet AWS Lambda functions

AWS

API Gateway cache

Endpoints on Amazon EC2

Any other publicly accessible endpoint

Amazon CloudWatch

Amazon CloudFront

API Gateway

API GatewayOther AWS

services

AWS Lambda functions

Web Client

Key takeaways

AWS Lambda + Amazon API Gateway means no infrastructure to manage – we scale for you

Security is important, and complex – make the most of AWS Identity and Access Management

Swagger import and client SDK – we can automate most workflows

The services we are going to use

Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB

Host the API and route API calls

Execute our app’s business logic

Generate temporary AWS credentials

Data store

The pet store architecture

Unauthenticated

API call flows

AWS Lambda lambdaHandler

Register

LoginAPI Gateway

Authenticated

AWS Lambda lambdaHandler

ListPets

GetPet

API Gateway

Assume Role

CreatePet

Sigv4 Invoke with caller credentials

Authorized by IAM

Web Client

Web Client

What’s new?

The application can use lots of servers, and I don’t need to manage a single one.

Authorization of API calls is delegated to AWS. We just need to focus on our IAM roles.

Deployment of the API is automated using Swagger.

API definition and Swagger

Amazon API Gateway overview

Manage deployments to multiple versions and

environments

Define and host APIs

Leverage Identity and Access Management to authorize access to your

cloud resources

Leverage AWS Auth

DDoS protection and request throttling to

safeguard your back end

Manage network traffic

Method and integration

Resources and methods

• POST – Registers a new user in our DynamoDB table/users

• POST – Receives a user name and password and authenticates a user/login

• POST – Creates a new pet in the database

• GET – Retrieves a list of pets from the database

/pets

• GET – Retrieves a pet by its ID/pets/{petId}

Unauthenticated

Authenticated

Method Response

Integration Request

Method Request

Method

Automating the workflow with Swagger

/users: post: summary: Registers a new user consumes: - application/json produces: - application/json parameters: - name: NewUser in: body schema: $ref: '#/definitions/User’ x-amazon-apigateway-integration: type: aws uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31... credentials: arn:aws:iam::964405213927:role/pet_store_lambda_invoke ... responses: 200: schema: $ref: '#/definitions/RegisterUserResponse'

Benefits of using Swagger

• API definitions live in our source repository with the rest of the app.

• They can be used with other utilities in the Swagger toolset (for example, documentation generation).

• API can be imported and deployed in our build script via AWS CLI.

Request routing and exceptions

High performance at any scale; Cost-effective and efficient

No Infrastructure to manage

Pay only for what you use: Lambda automatically matches capacity to

your request rate. Purchase compute in 100ms increments.

Bring Your Own Code

Lambda functions: Stateless, trigger-based code execution

Run code in a choice of standard languages. Use threads, processes,

files, and shell scripts normally.

Focus on business logic, not infrastructure. You upload code; AWS

Lambda handles everything else.

AWS Lambda Overview

The Lambda handler

lambdaHandler in our Java

source

Register action

Login action

Create Pet action

Get Pet action

Credentials generation

Pet store database

Amazon API Gateway

Integration request

Exception to HTTP statusRegister action

Login action

Create Pet action

Get Pet action

BadRequestExceptionBAD_REQUEST +

Stack Trace

InternalErrorExceptionINTERNAL_ERROR +

Stack TracelambdaHandler

in our Java source

Amazon API Gateway

responses: "default": statusCode: "200" "BAD.*": statusCode: "400" "INT.*": statusCode: "500"

Mapping templates are a powerful tool

Learn more about mapping templates in our docs

http://amzn.to/1L1hSF5

Retrieving AWS credentials

Amazon Cognito overview

Manage authenticated and guest users across identity

providers

Identity management

Synchronize users’ data across devices and

platforms via the cloud

Data synchronization

Securely access AWS services from mobile devices and platforms

Secure AWS access

The API definition• POST

• Receives a user name and password• Encrypts the password and creates the user

account in DynamoDB• Calls Amazon Cognito to generate

credentials• Returns the user + its credentials

/users

• POST• Receives a user name and password• Authenticates the user against the

DynamoDB database• Calls Amazon Cognito to generate

credentials• Returns a set of temporary credentials

/login

Retrieving temporary AWS credentials

Call Login API, no auth required

Client API Gateway Backend

/login Login action

User accounts database

Credentials verified

Get OpenID token for developer

identity

Receives credentials to sign API calls

Identity ID + token

Get credentials for identity

Access key + secret key +

session token

/login

1.

2.

3.

Authorizing API calls

The Pets resources require authorization• POST

• Receives a Pet model• Saves it in DynamoDB• Returns the new Pet ID

• GET• Returns the list of Pets stored in

DynamoDB

/pets

• GET• Receives a Pet ID from the path• Uses mapping templates to pass the path

parameter to the Lambda function• Loads the Pet from DynamoDB• Returns a Pet model

/pets/{petId}

Using the caller credentials

credentials:

arn:aws:iam::*:user/*

Using the console Using Swagger

The IAM role defines access permissions{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "lambda:InvokeFunction", "execute-api:invoke" ], "Resource": [ "arn:aws:dynamodb:us-east-1:xxxxxx:table/test_pets", "arn:aws:lambda:us-east-1:xxxxx:function:PetStore”, "arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/pets" ] } ]}

The role allows calls to:• DynamoDB• API Gateway• Lambda

The role can access specific resources in these services

One step further: Fine-grained access permissions

InternetClient

API Gateway

AWS Lambda functions

Amazon CloudFront

DynamoDB

CognitoId2

…"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [”${cognito-identity.amazonaws.com:sub}"], "dynamodb:Attributes": [ "UserId","GameTitle","Wins","Losses", "TopScore","TopScoreDateTime” ] }, "StringEqualsIfExists": { "dynamodb:Select": "SPECIFIC_ATTRIBUTES” }}…

Executes with this role

UserID Wins Losses

cognitoId1 3 2

cognitoId2 5 8

cognitoId3 2 3

The credentials and context (Cognito ID) are passed along

Both AWS Lambda & DynamoDB will follow the access policy

Authenticated flow in depth

Mobile apps AWS Lambda lambdaHandlerAPI Gateway

Sigv4 Invoke with caller credentials

Service calls areauthorized using

the IAM role

Learn more about fine-grained access permissions

http://amzn.to/1YkxcjR

DynamoDB

Benefits of using AWS auth & IAM

• Separation of concerns – our authorization strategy is delegated to a dedicated service

• We have centralized access management to a single set of policies

• Roles and credentials can be disabled with a single API call

AWS credentials on the client

1-click SDK generation from the console

Questions?

Lab Exercise: Pet Shop

Follow steps outlined here: http://bit.ly/1VxeHJg