API Gateway Websocket sigv4 ahthentication

0

Hi

I'm currently getting my head around the new Websocket feature of API Gateway and went through the following blog post to get started: https://aws.amazon.com/blogs/compute/announcing-websocket-apis-in-amazon-api-gateway/

However authentication is not used in this example and I need to see how that would work. In the post wscat is used as the websocker client and I don't believe there is a way to use that to call sigv4 APIs (unless I'm wrong ?)

Does anyone have a working code (any language would do: Python, Java, NodeJS etc.) that would connect to a Websocket that needs sigv4 auth ?

1 réponse
1
Réponse acceptée

It is possible, I connected to WSS endpoints using Sigv4 in two distinct ways: using headers and querystring.

Example of wscat command using headers:

wscat -H "Sec-WebSocket-Version:13" \
-H "Sec-WebSocket-Key:d6Bb3S0ZIibBDRfF460/Hw==" \
-H "Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits" \
-H "Date:20211011T205720Z" \
-H "Authorization:AWS4-HMAC-SHA256 Credential=AKIAS123456789012345/20211011/us-east-1/managedblockchain/aws4_request, SignedHeaders=date;host, Signature=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
-c wss://nd-aaaaaaaaaaaaaaaaaaaaaaaaaa.wss.ethereum.managedblockchain.us-east-1.amazonaws.com

Example of wscat command using querystring:

wscat --connect "wss://nd-aaaaaaaaaaaaaaaaaaaaaaaaaa.wss.ethereum.managedblockchain.us-east-1.amazonaws.com/?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS123456789012345%2F20211018%2Fus-east-1%2Fmanagedblockchain%2Faws4_request&X-Amz-Date=20211018T151804Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&X-Amz-Signature=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

Important: the implementation of WebSocket for web browsers do not accept headers, so you mush go with the query string version.

Code used to output a wscat command with Header auth:

Refer to these very useful examples here: https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html

profile pictureAWS
EXPERT
répondu il y a 2 ans
profile picture
EXPERT
vérifié il y a 3 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions