How do I call an AWS_IAM authorized API Gateway endpoint from AWS Lambda who's execution role has permission to do so?

11
votes

I'm wanting to call an AWS API Gateway endpoint which has Authorization set to AWS_IAM from an executing AWS Lambda who's execution role has permission to execute that API Gateway.

enter image description here

Is there anyway for me to sign the HTTPS request to API Gateway using the current execution role of my Lambda?

Edit:

Looking at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html, I may be able to call AssumeRole using the SDK to assume the role which has permissions to execute Api Gateway, and then extract the secret key which can be used to sign the requests.

2
amazon-web-servicesaws-lambdaaws-api-gatewaysigning

2 Answers

10
votes

The credentials for lambda's execution role can be retrieved from environment variables - AWS_SESSION_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY.

You can use the above credentials to sign the requests. The docs for signing are here http://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html. You can also look at third party libraries that do this.

Note that since you have session token you'll need to handle it as described here http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#RequestWithSTS

3
votes

As @Abhigna Nagaraja pointed out, you can retrieve the credentials for lambda's execution with the environment variables.

If you are using Python, you can use the aws_requests_auth library to sign the request. You can also check the documentation for a complete example on how to sign the request.

Here's a snippet on how to sign a request from a lambda:

import json
import requests
import os
from aws_requests_auth.aws_auth import AWSRequestsAuth


def lambda_handler(event, context):
    api_id = 'XXXXXXXXX'  # Replace with your API Gateway Id
    api_url = 'https://{}.execute-api.eu-west-1.amazonaws.com/dev/hello'.format(api_id)

    aws_access_key_id = os.environ['AWS_ACCESS_KEY_ID']
    aws_secret_access_key = os.environ['AWS_SECRET_ACCESS_KEY']
    aws_session_token = os.environ['AWS_SESSION_TOKEN']

    auth = AWSRequestsAuth(aws_access_key=aws_access_key_id,
                           aws_secret_access_key=aws_secret_access_key,
                           aws_token=aws_session_token,
                           aws_host='{}.execute-api.eu-west-1.amazonaws.com'.format(api_id),
                           aws_region='eu-west-1',
                           aws_service='execute-api')

    response = requests.get(api_url, auth=auth)
    return {
        'statusCode': response.status_code,
        'body': json.dumps(response.json())
    }

Hope it helps.