# Securing AWS API Gateways with AWS SigV4

## Install Dependencies

In [9]:
! pip install --quiet --upgrade pip
! pip install --quiet boto3 'boto3-stubs[cloudformation,apigateway]' httpx PyYAML==6.0.2 rich

## Constants

In [3]:
AWS_PROFILE = "sean-mlops-club"
AWS_REGION = "us-west-2"

import os

os.environ["AWS_PROFILE"] = AWS_PROFILE
os.environ["AWS_REGION"] = AWS_REGION

In [4]:
import httpx
from rich import print
from utils import print_http_request, print_http_response

## Setup: Create an API Gateway with various authentication methods

Use a tool called CloudFormation to create an API Gateway like the following:

<img src="./auth-api.png" width="600">

| Route                          | API Key Required | Authorizer  | Hard-coded response |
|--------------------------------|------------------|-------------|---------------------|
| `/auth/api-key`                | Yes              | `NONE`        | `{"message": "success"}` |
| `/auth/iam-sigv4`              | No               | `AWS_IAM`     | `{"message": "success"}` |
| `/auth/iam-sigv4-and-api-key`  | Yes              | `AWS_IAM`     | `{"message": "success"}` |
  

In [5]:
# utils.py is a sibling file to this one
from utils import create_cloudformation_stack

stack_outputs: dict[str, str] = create_cloudformation_stack(
    stack_name="AuthAPIStack",
    template_fpath="/home/sean90/cloud-course-project-sean/cloudformation_template.yaml",
    aws_region=AWS_REGION,
)
print("Stack outputs:", stack_outputs)

View stack 'AuthAPIStack' in the CloudFormation console at 'https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/stackinfo?filteringText=&filteringStatus=active&viewNested=true&hideStacks=false&stackId=AuthAPIStack'.
Stack AuthAPIStack does not exist, no need to delete.
Creating stack AuthAPIStack.


## Get important values from the created API Gateway

In [6]:
from utils import lookup_api_key_value

STAGE_URL: str = stack_outputs["ApiGatewayUrl"]
API_KEY_ID: str = stack_outputs["ApiKeyId"]
API_KEY: str = lookup_api_key_value(api_key_id=API_KEY_ID, aws_region=AWS_REGION)

print(
    f"""\
STAGE_URL:\t{STAGE_URL}
API_KEY_ID:\t{API_KEY_ID}
API_KEY:\t{API_KEY}"""
)

## Request with API Key: `/auth/api-key`

We only need to provide the `x-api-key` header.

In [8]:
import httpx

request = httpx.Request(
    method="GET",
    url=f"{STAGE_URL}/auth/api-key",
    headers={"x-api-key": API_KEY},
)

print_http_request(request)
response = httpx.Client().send(request)
print_http_response(response)

## Request with SigV4 Auth: `/auth/iam-sigv4`

This auth approach is much more complicated than just setting an `x-api-key` header.

Instead of taking an `x-api-key` header, the `/auth/iam-sigv4` route is configured to use an `AWS_IAM` authorizer.

The `AWS_IAM` authorizer requires us to compute a special hash value and set it as the `Authorization:` HTTP header.

The inputs of the hash value are this:

<img src="./sigv4.png" width="700">

📌 Here is an [online SigV4 signature calculator](https://datafetcher.com/aws-signature-version-4-calculator)
you can plug values into to calculate signature. **Do not use your real AWS credentials**.

<img src="./online-sigv4-calculator.png" width="600">

### Long-term credentials

The AWS key pair needs to be associated with a role or a user who has this policy in order
to be authorized to invoke our API endpoints.

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:<region>:<account-id>:<api-id>/prod/GET/auth/iam-sigv4",
                "arn:aws:execute-api:<region>:<account-id>:<api-id>/prod/GET/auth/iam-sigv4-and-api-key"
                // this line has no effect since the API Gateway does not 
                // have an AWS_IAM on this method anyway
                "arn:aws:execute-api:<region>:<account-id>:<api-id>/prod/GET/auth/api-key",
            ]
        }
    ]
}

```

### Inputs that cannot be derived from the request

A lot of these inputs, e.g. HTTP method, path, params, today's date, can be calculated by the client.

But there are some inputs that have to be provided by configuration or environment variables.

Here is a screenshot from Postman shows which static inputs cannot be derived.

⚠️ If you delete an AWS IAM access key pair, or change the region your API Gateway is deployed in,
you will **break existing clients**.

<img src="./postman-auth-selection-w-sigv4.png" width="300">

<img src="./sigv4-postman.png" width="700">

### Calculating the signature

Here is a function that takes an `httpx.Request` object and uses the AWS credentials from the
currently active `AWS_PROFILE` to compute the hash value.

The hashing algorithm uses the `HMAC-SHA256` algorithm several times. Here is a high-level
view from the AWS docs on what that calculation looks like:

<img src="./sigv4-calculation.png" width="500">

It is really easy to get the SigV4 signature calculation wrong so we will cheat and use `boto3` to do it for us 😅.

It makes sense that the AWS SDK would have facilities for calculating these signatures given that
this is the auth method the AWS SDK uses to make authenticated calls to all AWS services.

As you can see, it does not take much code to calculate these using `boto3`. And there are more abstracted, unofficial 3rd-party
libraries like `requests-auth-aws-sigv4` which basically contain this function:

In [10]:
import httpx
from botocore.auth import SigV4Auth
from botocore.awsrequest import AWSRequest
from botocore.credentials import ReadOnlyCredentials
from botocore.session import get_session
from utils import print_request_details


def sign_httpx_request(request: httpx.Request, aws_region: str, service_name: str = "execute-api", print=False):
    aws_request = AWSRequest(
        method=request.method, url=str(request.url), data=request.content, headers=dict(request.headers)
    )

    # get the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the currently active AWS profile
    session = get_session()
    credentials: ReadOnlyCredentials = session.get_credentials().get_frozen_credentials()

    # use those credentials to calculate the SigV4 hash aka "signature"
    SigV4Auth(credentials, service_name, aws_region).add_auth(aws_request)

    # mutate the httpx.Request object: add the Authorization, X-Amz-Date, and X-Amz-Security-Token headers
    for key, value in aws_request.headers.items():
        request.headers[key] = value

    # Pretty print the inputs and final signed request using Rich
    if print:
        print_request_details(request, aws_request, aws_region, service_name, credentials)

### Request: `GET /auth/iam-sigv4` (unsigned)

First, let's see what happens when we try to make a request to the `/auth/iam-sigv4` route without
signing it. Spoiler: it will fail.

In [11]:
# Test /auth/iam-sigv4 (SigV4 required, no API Key)
request = httpx.Request("GET", f"{STAGE_URL}/auth/iam-sigv4")

print("Original Request")
print_http_request(request)
response = httpx.Client().send(request)
print_http_response(response)

### Request: `GET /auth/iam-sigv4` (signed)

Now, we will use the `sign_httpx_request` function to calculate the `Authorization` header and
then make the request to our API Gateway.

Note, that it adds an `X-Amz-Date` and `X-Amz-Security-Token` headers to the request as well.

`X-Amz-Date` is the datetime that the signature was calculated. AWS can use this to check if the request is "expired".

Signatures expire 15 minutes after they are created (with the exception of using them for AWS S3--oddly).

In [12]:
print("Signed Request")
# mutate the request: hash the request with the SigV4 algorithm and add the resulting headers to the request
sign_httpx_request(request=request, aws_region=AWS_REGION, service_name="execute-api", print=True)
print_http_request(request)
response = httpx.Client().send(request)
print_http_response(response)

### Request: `GET /auth/iam-sigv4-and-api-key`

This route requires both an API key and a signed request.

AWS warns against using API keys to secure your API (because they don't support authorization or authentication, and they don't expire).

BUT API Keys are excellent for metering the number of requests made to your API, for example to enforce rate limits and quotas, and to calculate usage-based billing.

So AWS recommends using AWS API Keys *as a supplement to* methods for authentication and authorization, such as AWS SigV4 or other alternatives like OAuth 2.0 with JSON Web Tokens (JWTs).

This example shows how they might both be used together.

**Notice** that the `x-api-key` header us included in the `SignedHeaders` portion of the AWS SigV4 signature.

In [13]:
# Test /auth/iam-sigv4-and-api-key (SigV4 + API Key required)
request = httpx.Request("GET", f"{STAGE_URL}/auth/iam-sigv4-and-api-key", headers={"x-api-key": API_KEY})

print_http_request(request)
sign_httpx_request(request, aws_region=AWS_REGION)
print_http_request(request)
response = httpx.Client().send(request)
print_http_response(response)