Jez Nicholson (14) [Avatar] Offline
#1
You might mention it in the video but I haven't noticed it....

I see that in the web page function you've got a local version of aws4 which pulls in 'awscred'

Is awscred your construction?

If I want to call my own API endpoints from within a function is this the way to go? Seems like a bad idea to drift away from the npm aws4?
Yan Cui (65) [Avatar] Offline
#2
Hi Jez,

I mentioned it in the video that the reason for drifting away from the public NPM version of aws4 and awscred is that they don't support ECS's authentication model, I have an open PR to awscred to add support for it and tried to get in touch with the author via twitter and Github but so far no response... which is why I had to resort to this approach. For aws4, I also made a change to the NPM version so that it uses awscred to resolve the credentials automatically, something the author disagrees with judging by the response to a github feature request for exactly that.

I also mentioned that you'd want to publish these 2 as a private NPM packages in your own NPM account rather than relying on a module in the repo.

Also, since the awscred change is only for ECS, which is only relevant for us when running tests in CodeBuild, so if you're not doing that then you won't actually need it and can continue to use the NPM versions of the two.
Jez Nicholson (14) [Avatar] Offline
#3
Thanks Yan, makes sense. Ah, the joy of open source when someone won't accept pull requests!

I'm bumbling around with the security section as the front-end Unity devs are having grief using Cognito. The libs for Unity appear to be a bit out-of-date and don't even include API Gateway smilie Might have to end up sending direct from Unity to Lambda or SNS
Yan Cui (65) [Avatar] Offline
#4
mm.. just checked with my Unity developers and they're using the official library as well. We're using Cognito Federated Identities to get back an IAM credential instead, which we then use with Kinesis.

You can do the same with API Gateway, choose IAM auth with your endpoints, and then configure the role you should give the client to access that API, and then you can sign the HTTP requests like we discussed in the course (setting those 3 HTTP headers).
Jez Nicholson (14) [Avatar] Offline
#5
It appears that the Unity sdk https://github.com/aws/aws-sdk-net/blob/master/Unity.README.md only supports selected services: Cognito, DynamoDB, IAM, Kinesis, Lambda, Mobile Analytics, SES, SNS, SQS, S3....and if you are using Kinesis then it is there.

We have successfully called Lambda, but my dev is struggling to create the sigv4 signature required to call API Gateway via http GET and POST.

He wants to call my Lambdas direct, but I am wary because the front-end will be coupled to the back-end. I think that it'll be trouble but can't say why yet. Could it be a stopgap solution? or would putting SNS between the two be a better idea?
Yan Cui (65) [Avatar] Offline
#6
Let's maybe step back a sec, what does this API do?

And what are you using for authentication, I assume you're using Cognito Federated Identities to exchange some JWT for IAM credentials already, which you then try to use to sign the API Gateway request with, but which authentication service are you using?

If you're using Cognito User Pools then you can consider using the Cognito custom authorizer with API Gateway instead. And if you're using other third-party auth service (such as Auth0) then you can also write a custom authorizer function (in Lambda) to implement authentication (happy to point you to more resources on how to do this seeing as I skipped over it in the course).

As a side, have your Unity developers had a look at this AWS4Signer class in the AWSSDK for .Net:
https://github.com/aws/aws-sdk-net/blob/6c3be79bdafd5bfff1ab0bf5fec17abc66c7b516/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4Signer.cs

It's not the easiest code to follow, but they might be able to adapt it for their use.
Jez Nicholson (14) [Avatar] Offline
#7
The API is access to data storage for a mobile game. It replaces a direct-to-Firebase mvp. Currently calls are made at the beginning and end of a long session (up to 1 hour) to save and retrieve state. The app does all the calculations and the backend stores the information. As time goes on processes will migrate to the back end plus new processes will be added. The plan is to use API Gateway to Lambda and DynamoDB, and when non-main-gameloop tasks are wanted we will add an SNS layer. Therefore the API Gateway is really there to hide the game server implementation from the app, allowing the backend to grow.

On first play, the player is given by a generated guid which is saved locally. They can then save and retrieve their information in later sessions from the same device. They will then want a login so that they can connect using a new device. So, next step is to enable username/password via a Cognito User Pool, and later enable Facebook/Google/Twitter logins.

To isolate the test, I have created a new hello-world api and IAM with permissions to read it. We have successfully used Postman with AWS Authorisation to connect to it.

Dev has tried AWS4Signer and says that the signature is coming out 'weird'. I'm inclined to get them to continue to try as aws4 signing an http call doesn't seem an unusual thing to do.
Yan Cui (65) [Avatar] Offline
#8
I see, thanks for that explanation, best of luck! Let me know if there's anything else I might be able to help you with.