Simple yet powerful API authorization scheme leveraging transport layer trust

X.509 certificates are at the core of Mutual TLS (MTLS) based authentication. Essentially a certificate represents the identity of clients/partners and is used to authenticate a trusted party. This post will attempt to describe an API authorization scheme that leverages this transport layer trust and authorizes a client/partner to access APIs deployed on Amazon API Gateway. However, this scheme does not consider any user context. …

On-boarding trusted clients and partners on Amazon API Gateway gets more secure with Mutual TLS

Photo by Liane Metzler on Unsplash

Mutual TLS or MTLS is the de-facto transport layer security standard used in critical Business-to-Business (B2B) and Internet of Things (IoT) integrations. Essentially Mutual TLS establishes a two-way trust in a client-server communication channel. So, it’s not just the client that verifies identity of server (which happens to be the case with standard HTTPS based communication via browser), but the server also verifies identity of client. In short, MTLS is used to authenticate a trusted client/partner based on X.509 certificates. …

Photo by Freddie Collins on Unsplash

Simple yet elegant batch processing with S3, Lambda, DynamoDB and SNS

An interesting way to process a batch of records in the AWS Serverless world is to leverage the event triggering capabilities of S3, the power of Lambda, backed by a database service like DynamoDB and finally SNS for notifications. For simple batch processing scenarios, this solution could be very effective. So, if you are looking for an easy, powerful and serverless way to process records in a batch, this post might be of interest.

We’ll quickly leaf through the preamble of what we intend to achieve and then talk about some of the ‘potholes’ along the way to watch out…

Photo by Silas Köhler on Unsplash

“The only secrets are the secrets that keep themselves”- George Bernard Shaw

Leveraging a service like AWS Secrets Manager, to outsource secured storage and life-cycle management of secrets (like passwords, API keys, tokens, encryption keys, etc.) is becoming quite commonplace. Essentially, this practice keeps the application code clean and devoid of any sensitive information that might get leaked otherwise. The idea is to either use DevOps pipeline to fetch secrets and inject them at the time of deployment (primarily as environment variables) or use AWS SDK to retrieve secrets during application runtime and use them.

Normally, creation and retrieval of…

Photo by freestocks on Unsplash

In this post, we will go through the steps to expose a SOAP service as a RESTful API using AWS API Gateway and Lambda. The primary driver for such a solution is often incompatibilities of systems involved in the integration. For example: The service client supports REST and JSON, whereas the service provider works solely based on SOAP messages.

To keep things simple, we will refer to a publicly available SOAP based web service accessible here. This calculator service provides simple arithmetic operations like Add, Subtract, Multiply and Divide. We will expose the ‘Add’ operation via a RESTful API. …

Photo by CJ Dayrit on Unsplash

If you are a Kubernetes enthusiast but have not yet experimented with MicroK8s, then this post is for you.

MicroK8s is CNCF certified upstream Kubernetes deployment that can run on your laptop, workstation or on edge devices. It runs all the Kubernetes services natively and unlike Minikube, doesn’t require a separate virtual machine to run, thus making it a far more lighter alternative for offline development and/or prototyping.

Microk8s is available for Linux, Windows and MacOS. I will use Ubuntu 18.04 …

Photo by John Cameron on Unsplash


Use Lambda context to perform more than just authorization

Lambda authorizers are used to control access to APIs published in AWS API Gateway. They help to implement custom authorization schemes that either use token based authentication strategies (like OIDC, SAML, etc.), or use one or more request parameters to establish the API caller’s identity.

There are essentially two types of Lambda authorizers:

  • Token authorizer: Here one has to declare a token source (like HTTP Authorization header) and Lambda authorizer runtime takes care of plumbing the token from token source and passing the same in the Lambda event. This token is available at event.authorizationToken, within the Lambda function
  • Request authorizer…

Adrin Mukherjee

Solutions architect by profession, programmer by passion and photographer by choice…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store