DEV Community

Szymon
Szymon

Posted on • Originally published at blog.szymonmiks.pl

How to make an API request to an AWS microservice that is protected by IAM auth

#python #aws #cloud

Intro

One of the authorization methods that AWS supports for the API Gateway endpoints is
IAM authorization.

Two things are required to use IAM auth:

  • signed request using Signature Version 4
  • execute-api permission set up for the client for invoked endpoint

There are other authorization methods available like: Lambda authorizers or JWT authorizers you can read more about them
here.

In today's blog post, I will show you how to request a microservice that is protected by IAM auth.

The problem

For the blog post purpose, let's imagine we have two microservices: Microservice A and Microservice B.
Both of them were built using AWS lambda and API Gateway.
We own Microservice A, and some other team owns Microservice B.
We want to call Microservice B to get the response, it exposes the endpoint GET /items, and this endpoint is protected by IAM auth.

Solution 

import os from urllib.parse import urlparse from logging import Logger import requests from aws_requests_auth.boto_utils import BotoAWSRequestsAuth from requests.exceptions import RequestException class MicroserviceBClientClientError(Exception): pass class MicroserviceBClient: def __init__(self, base_url: str, logger: Logger) -> None: self._base_url = base_url self._logger = logger @property def auth(self) -> BotoAWSRequestsAuth: return BotoAWSRequestsAuth( aws_host=urlparse(self._base_url).hostname, aws_region=os.environ["AWS_REGION"], aws_service="execute-api" ) def get_items(self) -> None: try: self._logger.info("Getting items from MicroserviceB!") response = requests.post( f"{self._base_url}/items", auth=self.auth ) response.raise_for_status() self._logger.info(f"Successful request! Response = {response.json()}") except RequestException as error: self._logger.error(f"An error occurred during request to `MicroserviceB` service! Error = {error}") raise MicroserviceBClientClientError
Enter fullscreen mode Exit fullscreen mode

The aws-requests-auth does most of the things for us.

We need to provide the hostname of the service we want to call, the AWS region,
and the service - in our case it is execute-api as we are working in a serverless lambda environment.

BotoAWSRequestsAuth generates the appropriate headers and adds them to the requests object.
All we need to do is to add it as a auth param to the requests method.

Summary

It is as simple as that 😉 I hope you enjoyed it.

There are other methods that you can use to make such a request.
The one I showed you is simple and easy.
I have tested it on production, it is working 😉.

Top comments (0)