Lamdba micro service using Amazon Api Gateway

Lamba Micro ServiceusingAmazon Api GatewayFor Web Applications

About Us

Mike BeckerFounder /CTO - Wise AgentUniversity of Technology - 2000Multi Instrumentalist - Guitars, Sax, Piano, Drums, VocalsInternet Credentialed Reverend - 11 weddings officiatedEleni SommerschieldCOO - Wise AgentDePaul University - 2000Fluent in GreekEnjoys spending time with family and friends

Lambda Micro Service

1. Application Delivery2. Application Requirements3. AWS Assets4. Web Assets5. Process6. Findings7. Questions


Application Delivery● Native

○ iOS○ Android○ Xamarin

● Web○ Web Application Scaffolding○ Html, Css, Javascript○ Delivered from CloudFront / S3 Bucket


Application Requirements● Deliver Unauthenticated Content● Provide Authentication

○ Amazon, Facebook, Google, Twitter○ Developer Credentials

■ Login Account Creation■ Reset Password

● Handle Session Management● Deliver Authenticated Content● Provide Help - Contact Us


AWS Assets

Lambda is a service that will allow you to run little self contained snippets of JS, Java or Python to do discrete tasks.

API GatewayProxy your apps API through this so you can throttle bad client traffic, test new versions, and present methods more cleanly.

CognitoOAuth as a service, give end users - (non AWS) - the ability to log in with Google, Facebook, etc.

Amazon CloudfrontMake your websites load faster by spreading out static file delivery to be closer to where your users are.

Route 53Manage DNS records and purchase domains.


Web Assets● Html, Css, Javascript● Hosted on S3● Sync files to S3 via AWS-CLI.● Use Angular Scaffolding like Yeoman/Bower/Grunt.● Add AWS SDK to Bower.

○ bower install aws-sdk-js --save


Process - Website Setup● Create a web template using yeoman.

○ Add the views listed in the requirements.● Set up your S3 Bucket.

○ bucket must be named “subdomain.domain.tld”● Set up a SSL certificate in the AWS Certificate Manager (ACM).● Set up Amazon CloudFront.

○ Point to your bucket and subdomain.○ Use the custom certificate option and select your certificate.

● Create a CNAME entry for your subdomain on Route 53 and enter your CloudFront domain name for its value.

● Build your project and sync to your S3 bucket.○ aws s3 sync dist s3://yourbucket


Process - Social Integrations● Set up your application on Amazon Login, Facebook, etc.

○ Add your authorized site or javascript origins.○ Add your Valid OAuth return URLs.○ Some will even accept your localhost for testing.

● Download sample OAuth scripts from the providers.○ Instructions for setting up the scripts can be found online.○ Place the download scripts in your index.html and the

returnToken scripts in your scripts.js file.○ Test your authorizations, you should be able to return token

and fetch user info.


Process - Social Integrations● Create a new Cognito Identity Pool.

○ Create unauthenticated and authenticated IAM roles.○ Add your providers’ app ids to the Authentication Providers

section. ○ Create a custom provider for your developer authentication.

● Edit the authorized role in IAM by adding lambda and execute-api invoking rights.


Process - Social Integrations● Cognito Credentials in

Javascript○ Credential the

unauthenticated user with Cognito on document ready.

○ When the token returns from provider, obtain credentials using the token.


Process - Lambda Function● Create login Lambda function

○ Click “Create a Lambda function”.○ Select simple-mobile-backend.○ Name the function “DeveloperLogin”.○ Under Role, select the suggested “Basic with DynamoDB”.○ A new IAM Role will be created, click allow.○ Leave the memory and timeout settings alone for now.○ Then you will see….

A new section to configure Lambda to access resources,

such as EC2 databases, within your VPC!


Process - Lambda Functions○ Select “no vpc”.○ Click next and create function.

● Open the new Lambda_Dynamo role in IAM and attach the policy named “AmazonCognitoDeveloperAuthenticatedIdentities”.

● Create a table for logins in DynamoDB to store your email and hashed password, use email as the key.

● Create another table to store keys to retrieve lost passwords.● Return to the Lambda function and create a test event.


Process - Lambda Functions

Test Event Parameters{ "email": "[email protected]", "password": "anythingbutpassword", "operation": "login"}


Process - Lambda Functions● You will need these includes and account credentials in the code.

○ var doc = require('dynamodb-doc');○ var dynamodb = new doc.DynamoDB();○ var crypto = require('crypto');○ var AWS = require('aws-sdk');○ var AWS_ACCOUNT_ID = ‘XXXXXXX’;○ var AWS_Region = 'us-east-1';○ var COGNITO_IDENTITY_POOL_ID = 'us-east-1:XXXXXXXXXX';

● Now add cases for login, reset password, etc. to the code.


Process - Lambda Functions● After a successful login request, call

getOpenIdTokenForDeveloperIdentity.var params = { IdentityPoolId: 'us-east-1:XXXXXXXXXXXXX', Logins: { 'login.testapp.com': event.email }, TokenDuration: 3600};var cognitoidentity = new AWS.CognitoIdentity();cognitoidentity.getOpenIdTokenForDeveloperIdentity(params, function(err, data) { if (err){ // an error occurred token = "0"; context.fail("no token"); } else { // successful response token = { 'id' : data.IdentityId, "token": data.Token } ; context.succeed(token); } });


Process - Lambda Functions● Create another Lambda function with “Basic with DynamoDB” as

a template and attach SES sending privileges to your role.● Create functions in your code for sending password resets and

emails to your customer service ticket system.

● Create another Lambda function to be return your “Authorized Content”.○ Use the lambda-micro-service template.○ Set up test event parameters.


Process - API Gateway Creation● Create new API.● Create resources Login, Contact, Reset, Session.● Add POST Method to login.

○ Select Lambda function and region.○ Enter DeveloperLogin for the function and save.○ Leave the Message Request settings as default.

● Select the Login resource and click “Enable Cors”.○ Leave the settings as ‘*’ if you want to access via

native/localhost.○ Or, enter ‘*.yourdomain.tld’.

● Click “Deploy API” and create a new stage.


Process - API Gateway Creation● On the stage view, generate a javascript sdk that will sign

requests.● Download, add to your project, and include the reference in

index.html.● Add the appropriate calls to your project, scripts.js file.● Your login function should return with and id and token.● Add an AWS.STS object and call assumeRoleWithWebIdentity to

retrieve your Cognito credentials.

After any changes to the API Gateway, you must re-deploy to see the update.


Process - API Gateway Creation● Open Resources and select the session resource.

○ Add a POST method and point it to your lambda function that returns your sample “Authenticated Content”.

○ Select “AWS_IAM” for the Authentication method on the Method Request.

○ Deploy the API.


Process - Finish● Add a view to your application

and a function to call when the view loads.

● save the Cognito id and the credentials object in a global variables.

● The unauthenticated role should through a 403 error and load the login view.

● The authenticated should return your lambda output.


Findings1. I don’t recommend attaching an API Gateway via the Lambda

interface. Use the Api Gateway.

2. Api Gateway Resources a. It would be useful view/edit existing CORS settings.b. Deploy after each change, or you won’t see it on your

endpoint.

3. I was able to use the same microservice with my native application, as well as this web application.

4. With VPC, The possibilities with Lambda integration are endless.


Links● https://github.com/aws/aws-sdk-js● http://yeoman.io/● https://blogs.aws.amazon.com/javascript/post/Tx1F7FO6GDAIXD3/Authenti

cation-with-Amazon-Cognito-in-the-Browser● http://docs.aws.amazon.com/cognito/devguide/identity/developer-authenti

cated-identities/● http://backspace.technology/learn-aws-cognito-id.html● http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custo

m-authorizer.html● http://www.slideshare.net/AmazonWebServices/dev203-amazon-api-gatew

ay-aws-lambda-to-build-secure-apis● https://auth0.com/docs/integrations/aws-api-gateway/part-1● http://cloudacademy.com/blog/amazon-cognito-manage-mobile-data/

https://github.com/aws/aws-sdk-js

http://yeoman.io/

https://blogs.aws.amazon.com/javascript/post/Tx1F7FO6GDAIXD3/Authentication-with-Amazon-Cognito-in-the-Browser

https://blogs.aws.amazon.com/javascript/post/Tx1F7FO6GDAIXD3/Authentication-with-Amazon-Cognito-in-the-Browser

http://docs.aws.amazon.com/cognito/devguide/identity/developer-authenticated-identities/

http://docs.aws.amazon.com/cognito/devguide/identity/developer-authenticated-identities/

http://backspace.technology/learn-aws-cognito-id.html

http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html

http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html

http://www.slideshare.net/AmazonWebServices/dev203-amazon-api-gateway-aws-lambda-to-build-secure-apis

http://www.slideshare.net/AmazonWebServices/dev203-amazon-api-gateway-aws-lambda-to-build-secure-apis

https://auth0.com/docs/integrations/aws-api-gateway/part-1

http://cloudacademy.com/blog/amazon-cognito-manage-mobile-data/

Questions

???

Thank You