Layer7 API Management

  • 1.  Lookup in dynamodb from apigw

    Posted Jul 09, 2018 04:23 AM

    Hi Guys,

    Has any one configured lookup / query / GetItem in dynamodb from apigw? I'm struggling to get it work, so far I have configured these in my policy


    1. Set Context variable - JSON Payload

       Key: {
        'ID' : {S: 'token'},
        'Status' :  {N: '1'}
       TableName: 'token-table'


    2. AWS 4 Signer - configured resource, aws access_id and key


    3. Route via Http -${aws4auth.resource}

    with POST and RequestSource = context var from step 1


    Headers set as below:

    Authorization: ${aws4Auth.http.Authorization}

    X-Amz-Date: ${aws4Auth.http.X-Amz-Date}

    x-amz-content-sha256: ${aws4Auth.http.x-amz-content-sha256}

    X-Amz-Target: DynamoDB_20120810.GetItem



    I get ---> {"__type":""}


    Would appreciate any help with this.




  • 2.  Re: Lookup in dynamodb from apigw

    Broadcom Employee
    Posted Jul 09, 2018 07:28 PM

    Dear Kunal,

    It seems you copied the sample from aws document,

    in X-Amz-Target: DynamoDB_20120810.GetItem

    DynamoDB_20120810 should be your real dynamodb name.


    I also doubt with the route via http url, as per example in DynamoDB Low-Level API - Amazon DynamoDB , you should not need ${aws4auth.resource} in the url


    from Examples of the Complete Version 4 Signing Process (Python) - Amazon Web Services , there is python example to access dynamodb, so to configure your AWS 4 Signer assertion, you should not need to set resource field,

    only following filed,

    You may set method, service, host, region, endpoint, etc. for AWS 4 Signer assertion as the example as below,

    # AWS Version 4 signing example 
    # DynamoDB API (CreateTable)
    # See:
    # This version makes a POST request and passes request parameters
    # in the body (payload) of the request. Auth information is passed in
    # an Authorization header. import sys, os, base64, datetime, hashlib, hmac import requests
    # pip install requests
    # ************* REQUEST VALUES *************
    method = 'POST'
    service = 'dynamodb'
    host = ''
    region = 'us-west-2'
    endpoint = ''
    # POST requests use a content type header. For DynamoDB,
    # the content is JSON.

    content_type = 'application/x-amz-json-1.0'

    # DynamoDB requires an x-amz-target header that has this format:
    # DynamoDB_<API version>.<operationName>

    amz_target = 'DynamoDB_20120810.CreateTable'




  • 3.  Re: Lookup in dynamodb from apigw

    Broadcom Employee
    Posted Jul 09, 2018 08:11 PM

    Maybe I have misunderstanding on X-Amz-Target, it should name of operation --

    DynamoDB_<API version>.<operationName>

  • 4.  Re: Lookup in dynamodb from apigw

    Posted Jul 10, 2018 01:06 AM

    Thanks Mark - for AWS 4 Signer assertion resource is a mandatory field.

    I removed ${aws4auth.resource} in the url from Route assertion, now I get following error


    {"__type":"","message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}

  • 5.  Re: Lookup in dynamodb from apigw

    Broadcom Employee
    Posted Jul 10, 2018 01:37 AM

    So, the AWS 4 Signer assertion didn't generate the correct signature.

    What did you put in the resource field? you may try slash(/) only

  • 6.  Re: Lookup in dynamodb from apigw
    Best Answer

    Posted Jul 10, 2018 11:06 PM

    Finally got this working with below configurations. Thanks for your assistance Mark!