Questions tagged with Amazon API Gateway

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

How to know if my Lambda Authorizer for API Gateway is caching results?

I have a Lambda Authorizer for an API Gateway API with one resource and three methods - PUT / GET / DELETE. Each method uses the same Lambda Authorizer, the TOKEN kind, to verify a JWT from Cognito. An IAM policy is returned by the Lambda which allows PUT / GET / DELETE actions on the resource. The authorization and policy work fine -- I just don't know if the result is being cached by API Gateway. When I look at the API Gateway execution logs, every request seems to be calling the Lambda Authorizer. Every API Gateway execution log has a line like this: ``` Sending request to https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:MY_LAMBDA_FUNCTION:prod/invocations ``` **Does this invocation of the Lambda function mean that the Lambda Authorizer is not caching properly?** After the "Sending request" log line, there's a line like "Authorizer result body before parsing" and then this line: ``` Using valid authorizer policy for principal: *****user ``` **Does this statement indicate that the Lambda Authorizer using a cached policy?** The strange thing is...when I check the Lambda logs, the execution times vary wildly, almost as if the Lambda itself is caching the result...but I think the caching happens on the API Gateway side? What's going on here? Sample of Lambda duration times: 529ms, 10ms, 217ms, 213ms, 8ms, 2ms
0
answers
0
votes
19
views
profile picture
asked a day ago

mutual TLS authentication for Amazon API Gateway - With my existing public key infrastructure (PKI) standard.

Hello Team, I am trying to enable mTLS for Amazon API Gateway for my endpoint, and I have my existing public key (PKI) for my domain (.crt & .key)..While using to upload my existing root CA public key in S3 bucket, I am getting some error like "API Gateway couldn’t build a unique path from the given certificate to a root certificate". I am following the setup using this link, Ref : https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ Note : I am not using the openssl to generate the RootCA.pem & RootCA.key. Step 1: (SKIP) Create the private certificate authority (CA) private and public keys: openssl genrsa -out RootCA.key 4096 openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem Step 2: Create client certificate private key and certificate signing request (CSR): openssl genrsa -out my_client.key 2048 openssl req -new -key my_client.key -out my_client.csr Step 3: Sign the newly created client cert by using your certificate authority you previously created: openssl x509 -req -in my_client.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out my_client.pem -days 3650 -sha256 Step 4: I have a minimum of five files in my directory RootCA.key (root CA private key) RootCA.pem (root CA public key) my_client.csr (client certificate signing request) my_client.key (client certificate private key) my_client.pem (client certificate public key) Step 5: Prepare a PEM-encoded trust store file for all certificate authority public keys you want to use with mutual TLS: cp RootCA.pem truststore.pem Step 6: Upload the trust store file to an Amazon S3 bucket in the same AWS account as our API Gateway API. aws s3 mb s3://your-name-ca-truststore --region us-east-1 #creates a new S3 bucket – skip if using existing bucket aws s3api put-bucket-versioning --bucket your-name-ca-truststore --versioning-configuration Status=Enabled #enables versioning on S3 bucket aws s3 cp truststore.pem s3://your-name-ca-truststore/truststore.pem #uploads object to S3 bucket Step 7: Enabling mutual TLS on a custom domain name I have in AWS API gateway console, While I upload my existing root CA public key in S3 bucket, I am getting some error like Error : "API Gateway couldn’t build a unique path from the given certificate to a root certificate". Error : "There is an invalid certificate in your truststore bundle Mutual TLS is still enabled, but some clients might not be able to access your API. Upload a new truststore bundle version to S3, and then update your domain name to use the new version."
1
answers
0
votes
11
views
asked 2 days ago

WebsocketApi Lambda and connect ECONNREFUSED

Hello, I've been setting up Websocket API with Lambda and I received following error: ``` <message-id> INFO Error: connect ECONNREFUSED <ip> at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1300:16) { errno: -111, code: 'ECONNREFUSED', syscall: 'connect', address: <ip>, port: 80, '$metadata': { attempts: 1, totalRetryDelay: 0 } ``` Env is a Node18 and Postman (ws) as a client. Lambda's code: ``` import { ApiGatewayManagementApiClient, DeleteConnectionCommand,PostToConnectionCommand } from "@aws-sdk/client-apigatewaymanagementapi"; const api = new ApiGatewayManagementApiClient({endpoint: 'wss://<id>.execute-api.<region>.amazonaws.com/production', region: 'eu-central-1' }) export const handler = async (event) => { console.log(event); const {routeKey, connectionId} = event?.requestContext let msg; console.log(`Request key is ${routeKey} and connectionID is ${connectionId}`) switch(routeKey){ case '$connect': msg = 'connected My friend'; break; case '$disconnect': msg = 'disconnected my friend'; break; case 'message': try{ await replyToMessage(connectionId, 'RAMP PAM PAM') }catch(e){ console.log('EXEPTION ALARM') console.log(e) } break; default: console.log('something bad happened', routeKey); break; } // TODO implement const response = { statusCode: 200 }; return response; }; const replyToMessage = (ConnectionId, message) =>{ const data = {message}; const cmd = new PostToConnectionCommand({ ConnectionId, Data: Buffer.from(JSON.stringify(data)) }) const result = api.send(cmd); console.log(result) return result; } ``` Lambda's policy ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "execute-api:*", "Resource": "arn:aws:execute-api:<region><id>:<api-id>/production/*" } ] } ``` Thank you in advance, Arczik!
1
answers
0
votes
22
views
Arczik
asked 6 days ago