Plugin to configure a single AWS CLI operation to invoke an API Gateway / Lambda method
$ pip install awscli-plugin-execute-api
If you installed awscli
with Homebrew, use its bundled Python:
$ /usr/local/opt/awscli/libexec/bin/pip install awscli-plugin-execute-api
$ aws configure set plugins.execute-api awscli_plugin_execute_api
First configure a profile for the IAM with execute-api:Invoke
permission:
$ export AWS_PROFILE=myprofile
$ aws configure
AWS Access Key ID [None]: AKIA...
AWS Secret Access Key [None]: pWim...
Default region name [None]: us-east-1
Default output format [None]: json
Next configure the plugin for an operation and its API Gateway invocation URL:
$ aws configure set dynamodb.update-table https://m303r7o808.execute-api.us-east-1.amazonaws.com/Prod/update-table
You can review or manually configure `$HOME/.aws/config`...
[plugins]
execute-api = awscli_plugin_execute_api
[profile myprofile]
region = us-east-1
output = json
dynamodb =
update-table = https://m303r7o808.execute-api.us-east-1.amazonaws.com/Prod/update-table
Now run a command:
$ aws dynamodb update-table --table-name $TABLE_NAME --sse-specification Enabled=false
An error occurred (ValidationException) when calling the UpdateTable operation: Custom error from Lambda handler
You can use the `--debug` flag to verify the endpoint...
$ aws dynamodb update-table --debug --table-name $TABLE_NAME
Plugin awscli_plugin_execute_api: Config [myprofile] dynamodb.update-table => URL https://m303r7o808.execute-api.us-east-1.amazonaws.com/Prod/update-table
Plugin awscli_plugin_execute_api: renamed X-Amz-Target DynamoDB_20120810.UpdateTable
$ aws dynamodb describe-table --debug --table-name $TABLE_NAME
Plugin awscli_plugin_execute_api: Config [myprofile] dynamodb.describe-table not found
For security reasons we'd like to give an IAM user access to a limited subset of an AWS API call functionality. For example on the dynamodb update-table
operation we'd like to allow a user to modify:
- Global indexes
But disallow them to modify:
- Provisioned throughput
- Streams
- Server side encryption
A "serverless" solution includes:
-
IAM User
- Policy that disallows
dynamodb:UpdateTable
- Policy that allows
execute-api:Invoke
on an API Gateway resource - Access keys
- Policy that disallows
-
API Gateway Method
- URL to POST an
update-table
request - AWS_IAM authorization
- URL to POST an
-
Lambda Function
- Policy that allows
dynamodb:UpdateTable
- Code that validates and performs
update-table
request
- Policy that allows
-
AWS CLI
- Custom endpoint URL for
dynamodb update-table
command - Request signature for API Gateway
- Custom endpoint URL for
This plugin registers a URL for a single CLI operation and automatically uses it.
$ aws configure set dynamodb.update-table https://m303r7o808.execute-api.us-east-1.amazonaws.com/Prod/update-table
$ aws dynamodb update-table --table-name $TABLE_NAME --sse-specification Enabled=false
An error occurred (ValidationException) when calling the UpdateTable operation: Modifying SSESpecification is not allowed
The CLI user needs API execution permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:303718836660:m303r7o808/*/POST/update-table"
]
}
]
}
The CLI operation is in the X-Target
header, since X-Amz-Target