Reverse Proxy Elastic Search with AWS Credentials

Not applicable

I am new to Apigee, and trying to uncover which aspects of our stack we can replace.

Currently we run an NGINX reverse proxy in front of an AWS Managed Elastic Search service.

NGINX adds AWS Credentials to requests for the Elastic Search service with a region, accesskey and secretkey which AWS can use to verify that requests are allowed.

As i understand it the credentials are standard for most of amazons managed services (http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Credentials.html).

I would like to replace our NGINX with Apigee, but what options do i have to use AWS credentials? Am i forced to create a NodeJS proxy or does the ReverseProxy support this out of the box?

1 4 7,081
4 REPLIES 4

Hello @dkminith!

There are a couple of ways to implement this. I implemented HMAC256, which was based on Amazon's implementation, through Apigee for another client. We issued access tokens from an OAuth proxy, so that protected the API from unauthorized use. Once the proxy validated the access token, then it generated an HMAC signature based on specific headers and the payload and it added the Authorization header with the signature to the final request to the target service. It also removed the access token from the final request, since the target service did not require it. In this implementation we basically swapped the access token for an HMAC signature.

If you don't plan to implement it as I outlined above, then you would have to pass the AWS signature via an Authorization header on the request to Apigee Edge and it passes headers through to the target service. In this instance, the Apigee proxy is not protected from unauthorized use, but the Elastic Search Service is protected. You could implement it this way as POC, but I would recommend protecting the API with OAuth. The AWS Authorization header looks something like this (pulled from the Amazon docs).

Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7

I think the hardest part will be generating the AWS signature.

Are you trying to swap the AWS signature with an client ID and secret from Apigee?

Are you planning to use the Amazon SDKs or are you going to use the AWS Elastic Search API directly? The AWS SDKs will generate the signature for you.

Hello swilliams,

I am tying python implementation mentioned in below amazon link using python policy in my apigee api but i am keep getting below error. Please share the implementation you implemented to generate signature and AWS4-HMAC-SHA256 authorization header . Please advice if python , node.js or java call out was used to generate signature and AWS4-HMAC-SHA256 authorization header.

Amazon URL : https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html

Error :

"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details

Hi @P shah Please post this as a new question. Thanks.


adas
Participant V

@dkminith There are multiple ways to do it, depending on how you want to implement this. For example, if you connecting to AWS using APIs you could simply create a proxy that injects the credentials for AWS access key and secret. This can be done in a simple pass through proxy with keyvaluemap policy(to retrieve the credentials) and an assign message or javascript policy that injects the credentials into the outgoing request.

If you are worried about storing the aws credentials securely, you can use "vault". In that case you have to use node.js since vault is not accessible as a policy unlike keyvaluemaps. Here's an example

The other option is to have your own node.js script that interacts with the AWS endpoints. You can take a look at the apigee volos connector project for some inspiration. Please refer to the volos connectors project in github

There are examples showing how the volos connector let's you connect to AWS S3, AWS SNS and other services using node.js and Apigee Edge.