Layer7 API Management

Expand all | Collapse all

Lookup in dynamodb from apigw

Jump to Best Answer
  • 1.  Lookup in dynamodb from apigw

    Posted 07-09-2018 04:23 AM

    Hi Guys,

    Has any one configured lookup / query / GetItem in dynamodb from apigw? I'm struggling to get it work, so far I have configured these in my policy

     

    1. Set Context variable - JSON Payload

    {
       Key: {
        'ID' : {S: 'token'},
        'Status' :  {N: '1'}
       },
       TableName: 'token-table'
      }

     

    2. AWS 4 Signer - configured resource, aws access_id and key

     

    3. Route via Http - http://dynamodb.ap-southeast-2.amazonaws.com/${aws4auth.resource}

    with POST and RequestSource = context var from step 1

     

    Headers set as below:

    Authorization: ${aws4Auth.http.Authorization}

    X-Amz-Date: ${aws4Auth.http.X-Amz-Date}

    x-amz-content-sha256: ${aws4Auth.http.x-amz-content-sha256}

    X-Amz-Target: DynamoDB_20120810.GetItem

     

     

    I get ---> {"__type":"com.amazon.coral.service#SerializationException"}

     

    Would appreciate any help with this.

     

    Thanks,

    Kunal



  • 2.  Re: Lookup in dynamodb from apigw

    Posted 07-09-2018 07:28 PM

    Dear Kunal,

    It seems you copied the sample from aws document,

    in X-Amz-Target: DynamoDB_20120810.GetItem

    DynamoDB_20120810 should be your real dynamodb name.

     

    I also doubt with the route via http url, as per example in DynamoDB Low-Level API - Amazon DynamoDB , you should not need ${aws4auth.resource} in the url

     

    from Examples of the Complete Version 4 Signing Process (Python) - Amazon Web Services , there is python example to access dynamodb, so to configure your AWS 4 Signer assertion, you should not need to set resource field,

    only following filed,

    You may set method, service, host, region, endpoint, etc. for AWS 4 Signer assertion as the example as below,

    # AWS Version 4 signing example 
    # DynamoDB API (CreateTable)
    # See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
    # This version makes a POST request and passes request parameters
    # in the body (payload) of the request. Auth information is passed in
    # an Authorization header. import sys, os, base64, datetime, hashlib, hmac import requests
    # pip install requests
    # ************* REQUEST VALUES *************
    method = 'POST'
    service = 'dynamodb'
    host = 'dynamodb.us-west-2.amazonaws.com'
    region = 'us-west-2'
    endpoint = 'https://dynamodb.us-west-2.amazonaws.com/'
    # POST requests use a content type header. For DynamoDB,
    # the content is JSON.

    content_type = 'application/x-amz-json-1.0'

    # DynamoDB requires an x-amz-target header that has this format:
    # DynamoDB_<API version>.<operationName>

    amz_target = 'DynamoDB_20120810.CreateTable'

     

    Regards,

    Mark



  • 3.  Re: Lookup in dynamodb from apigw

    Posted 07-09-2018 08:11 PM

    Maybe I have misunderstanding on X-Amz-Target, it should name of operation --

    DynamoDB_<API version>.<operationName>


  • 4.  Re: Lookup in dynamodb from apigw

    Posted 07-10-2018 01:06 AM

    Thanks Mark - for AWS 4 Signer assertion resource is a mandatory field.

    I removed ${aws4auth.resource} in the url from Route assertion, now I get following error

     

    {"__type":"com.amazon.coral.service#InvalidSignatureException","message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}



  • 5.  Re: Lookup in dynamodb from apigw

    Posted 07-10-2018 01:37 AM

    So, the AWS 4 Signer assertion didn't generate the correct signature.

    What did you put in the resource field? you may try slash(/) only



  • 6.  Re: Lookup in dynamodb from apigw
    Best Answer

    Posted 07-10-2018 11:06 PM

    Finally got this working with below configurations. Thanks for your assistance Mark!