-
Notifications
You must be signed in to change notification settings - Fork 206
Using AWS Lambda to Sign Requests
Parker Erway edited this page Mar 24, 2017
·
2 revisions
As of v2.0.0 direct support for AWS Lambda has been removed because customAuthMethod can be used to implement it
directly.
-
Include the AWS SDK for Javascript, either directly, bower, or browserify
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.2.43.min.js"></script> -
Create a
customAuthMethodsee:signing_example_lambda.jsThe custom authorization method should use AWS Lambda to calculate the signature. The function will receive the signHeaders, signParams, string to sign and datetime used to calcualte the string to sign.
-
Setup an IAM user with permissions to call your lambda function. This user should be separate from the one that can upload to S3. Here is a sample policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1431709794000",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:...:function:cw-signer"
]
}
]
}- Pass the custom auth method to Evaporate and do not specify
signerUrl
function authByAwsLambda (signParams, signHeaders, stringToSign, dateString) {
return new Promise(function(resolve, reject) {
var awsLambda = new AWS.Lambda({
region: 'lambda region',
accessKeyId: 'a key that can invoke the lambda function',
secretAccessKey: 'the secret'
})
awsLambda.invoke({
FunctionName: 'arn:aws:lambda:...:function:cw-signer', // arn of your lambda function
InvocationType: 'RequestResponse',
Payload: JSON.stringify({
to_sign: stringToSign,
sign_params: signParams,
sign_headers: signHeaders
})
}, function (err, data) {
if (err) {
return reject(err);
}
resolve(JSON.parse(data.Payload));
});
});
};
Evaporate.create({
aws_key: 'your aws_key here',
bucket: 'your s3 bucket name here',
customAuthMethod: authByAwsLambda
})
.then(function (evaporate) {
evaporate.add(...);
});