IAM authorizer for the API endpoint #377
Comments
|
Previous discussion alternatives/points to research and implement:
|
|
They can't be stacked on the same route - so we need an alternative endpoint - either route based, or endpoint based. So assuming we leave the existing endpoints/gateway in place unchanged
What is preferrable to add in to support IAM. https://api-native.data.prod.umccr.org/lims/2866 or https://api.data.prod.umccr.org/**iam**/lims/2866 The first allows common swagger docs and shared code (i.e the API paths don't change) - the only thing different between scripts in IAM mode v JWT mode would be the specification of the base url. But it results in two entirely different API gateways (cost? possibility of config drift?) The second is a smaller change in that we just add the lambdas a second time on a new route - with people having to know the magic prefix in their routes for IAM usage.. |
|
The magic IAM path option seems like the most reasonable option (to me), but I totally defer to Victor's opinion on this. |
|
Is there no option to use Cognito? It should support SSO and the translation between IAM and tokens I thought? |
Ah well (sigh). Thanks for checking it out. They are still not supporting it... Happy to adopt either option, TBH. As long as it supports the use case (i.e. SageMaker & those analytics scenarios, etc...). I still wonder; will SageMaker be able to query endpoint with |
|
Yes @victorskl - Sagemaker code would need to be doing v4 signing on any api calls (we can provide an example Requests client for the sagemaker notebook that does that).. or people would need to use @reisingerf It's possible Cognito can play a role here - but I'm not sure how that matches up with the use case from Roman. IAM creds are the only thing that services within aws are going to have unless we can somehow do cognito login processes inside Sagemaker? Would that be preferrable - make no changes to the API endpoint but write some scripts for sagemaker that simulate cognito/oauth flows inside sagemaker? We'd still end up with a bearer token that needs to be passed in and refreshed - and that was what Roman was trying to avoid? |
|
Also, the concept of user identity available in the api lambdas will surely be different between a JWT authed request and an IAM authed request. Is there anything in particular to look out for re: caller identity I should look at. Are there internal API authorisations/roles etc? Or is the caller identity really just logged and ignored? |
|
Hm, I see. However, if automated services are the clients, then that's another story, yes. There I agree with an additional route/path. |
|
I was with you - I thought initially he meant to somehow hook into the SSO sign in/interactive of notebooks. But the comments at the start of this tickets made me think he meant the other - @brainstorm can you clarify? |
|
Actually, I was thinking of having both:
Makes sense? |
* This effectively support without needing setup PORTAL_TOKEN environment variable but using AWS CLI credential or IAM role. * Updated README and a couple of examples for possible backend and end user ad-hoc use case code snippet. * R example is still using Python for v4 signing facility and http `requests` package; through `reticulate` R library. This can be improved to pure R with `httr` and `cloudyr`. * Related to #415 #377
Currently the API is consumed via temporal API Tokens and this works great! .. For one off explorations.
When using notebooks and other internal systems on AWS (i.e Sagemaker), it'd be great if we could have IAM auth'd requests to the same endpoint. That would guarantee that analysis (and other data explorations within AWS) and also future microservices leverage AWS's IAM directly instead of extra logic around bearer tokens (management of auto renewal & co).
The text was updated successfully, but these errors were encountered: