aws api gateway 介绍
- api的网关。主要目的是用来控制api的。
- 所有api都可以写如到api gateway中。
- 在api gateway中控制api的调用次数,吞吐量,是否允许调用
- 在 api gateway中控制这个API 触发的aws的服务
swagger 介绍
- 用来编写API文档,有专门的swagger语法。简单点说就是用文字信息和特定的格式来描述一个API
swagger集成 api gateway
介绍
- swagger网站上有关于集成api gateway的功能。可以做到一键集成(注意,集成的时候最好选则overwrite,每次保存都会完整的更新api gateway)
- 所有api gateway的功能,包括authorized response lambda 都可以用swagger文档来完成。最后一键集成到api Gateway中
如何集成
- google一下swagger,注册swagger hub的账号。
- 编写swagger的文档
- 找到 Integrations按钮(藏的有点深,我找了半天),选择集成 aws api gateway
- 配置好aws 的key和secret 保存并执行。这样以后每次编写swagger文档都会更新api gateway了
swagger的编写(yaml格式)
- swagger 文档如何编写我这里就不说了,自行google,多尝试就OK了。在swagger官网中编写会有错误提示,还是比较方便的。
这篇文章主要介绍的是和api gateway相关的内容
- swagger集成api gateway的文档例子
https://github.com/aws-samples/api-gateway-secure-pet-store/blob/master/src/main/resources/swagger.yaml
# this is an example of the Uber API
# as a demonstration of an API spec in YAML
swagger: '2.0'
info:
title: API Gateway Secure Pet Store
description: Pet store sample that uses Cognito Developer Authenticated Identities to generate credentials through a Java Lambda Function
version: "1.0.0"
# the domain of the service
host: execute-api.us-east-1.amazonaws.com
# array of all schemes that your API supports
schemes:
- https
# will be prefixed to all paths
basePath: /
produces:
- application/json
paths:
/users:
post:
summary: Registers a new user
description: |
Creates a new user in the DynamoDB backend database and returns a set
of temporary credentials to sign future requests.
consumes:
- application/json
produces:
- application/json
parameters:
- name: NewUser
in: body
description: New user details.
schema:
$ref: '#/definitions/User'
tags:
- Auth
x-amazon-apigateway-integration:
type: aws
uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:YOUR_FUNCTION_NAME/invocations
credentials: arn:aws:iam::XXXXXXXXXXXX:role/YOUR_LAMBDA_INVOCATION_ROLE
httpMethod: POST
requestTemplates:
application/json: |
{
"action" : "com.amazonaws.apigatewaydemo.action.RegisterDemoAction",
"body" : $input.json('$')
}
responses:
"default":
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"BAD.*":
statusCode: "400"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"INT.*":
statusCode: "500"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
responses:
200:
description: The username of the new user and set of temporary credentials
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/RegisterUserResponse'
400:
description: Bad request
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
500:
description: Internal error
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
options:
summary: CORS support
description: |
Enable CORS by returning correct headers
consumes:
- application/json
produces:
- application/json
tags:
- CORS
x-amazon-apigateway-integration:
type: mock
requestTemplates:
application/json: |
{
"statusCode" : 200
}
responses:
"default":
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key'"
method.response.header.Access-Control-Allow-Methods : "'*'"
method.response.header.Access-Control-Allow-Origin : "'*'"
responseTemplates:
application/json: |
{}
responses:
200:
description: Default response for CORS method
headers:
Access-Control-Allow-Headers:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Origin:
type: "string"
/login:
post:
summary: Login user
description: |
Verifies the given credentials against the user database and returns a set
of new temporary credentials
consumes:
- application/json
produces:
- application/json
parameters:
- name: LoginUser
in: body
description: New user details.
schema:
$ref: '#/definitions/User'
tags:
- Auth
x-amazon-apigateway-integration:
type: aws
uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:YOUR_FUNCTION_NAME/invocations
credentials: arn:aws:iam::XXXXXXXXXXXX:role/YOUR_LAMBDA_INVOCATION_ROLE
httpMethod: POST
requestTemplates:
application/json: |
{
"action" : "com.amazonaws.apigatewaydemo.action.LoginDemoAction",
"body" : $input.json('$')
}
responses:
"default":
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"BAD.*":
statusCode: "400"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"INT.*":
statusCode: "500"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
responses:
200:
description: A new set of temporary credentials
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/LoginUserResponse'
400:
description: Bad request
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
500:
description: Internal error
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
options:
summary: CORS support
description: |
Enable CORS by returning correct headers
consumes:
- application/json
produces:
- application/json
tags:
- CORS
x-amazon-apigateway-integration:
type: mock
requestTemplates:
application/json: |
{
"statusCode" : 200
}
responses:
"default":
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key'"
method.response.header.Access-Control-Allow-Methods : "'*'"
method.response.header.Access-Control-Allow-Origin : "'*'"
responseTemplates:
application/json: |
{}
responses:
200:
description: Default response for CORS method
headers:
Access-Control-Allow-Headers:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Origin:
type: "string"
/pets:
post:
summary: Creates a new pet
description: |
Creates a new pet object in the datastore
x-amazon-apigateway-auth:
type: aws_iam
consumes:
- application/json
produces:
- application/json
parameters:
- name: NewPet
in: body
description: New pet details.
schema:
$ref: '#/definitions/NewPet'
tags:
- Pet Store
x-amazon-apigateway-integration:
type: aws
uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:YOUR_FUNCTION_NAME/invocations
credentials: arn:aws:iam::*:user/*
httpMethod: POST
requestTemplates:
application/json: |
{
"action" : "com.amazonaws.apigatewaydemo.action.CreatePetDemoAction",
"body" : $input.json('$')
}
responses:
"default":
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"BAD.*":
statusCode: "400"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"INT.*":
statusCode: "500"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
responses:
200:
description: The unique identifier of the new pet
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/NewPetResponse'
400:
description: Bad request
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
500:
description: Internal error
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
get:
summary: List pets
description: Retrieve a list of pets in the store
x-amazon-apigateway-auth:
type: aws_iam
consumes:
- application/json
produces:
- application/json
tags:
- Pet Store
x-amazon-apigateway-integration:
type: aws
uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:YOUR_FUNCTION_NAME/invocations
credentials: arn:aws:iam::*:user/*
httpMethod: POST
requestTemplates:
application/json: |
{
"action" : "com.amazonaws.apigatewaydemo.action.ListPetsDemoAction",
"body" : $input.json('$')
}
responses:
"default":
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"BAD.*":
statusCode: "400"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"INT.*":
statusCode: "500"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
responses:
200:
description: A list of pets
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Pets'
400:
description: Bad request
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
500:
description: Internal error
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
options:
summary: CORS support
description: |
Enable CORS by returning correct headers
consumes:
- application/json
produces:
- application/json
tags:
- CORS
x-amazon-apigateway-integration:
type: mock
requestTemplates:
application/json: |
{
"statusCode" : 200
}
responses:
"default":
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key'"
method.response.header.Access-Control-Allow-Methods : "'*'"
method.response.header.Access-Control-Allow-Origin : "'*'"
responseTemplates:
application/json: |
{}
responses:
200:
description: Default response for CORS method
headers:
Access-Control-Allow-Headers:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Origin:
type: "string"
/pets/{petId}:
get:
summary: Get pet by id
description: Returns a pet definition based on the given id
x-amazon-apigateway-auth:
type: aws_iam
consumes:
- application/json
produces:
- application/json
tags:
- Pet Store
parameters:
- name: petId
in: path
description: The unique identifier for a pet
type: string
x-amazon-apigateway-integration:
type: aws
uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:YOUR_FUNCTION_NAME/invocations
credentials: arn:aws:iam::*:user/*
httpMethod: POST
requestTemplates:
application/json: |
{
"action" : "com.amazonaws.apigatewaydemo.action.GetPetDemoAction",
"body" : {
"petId" : "$input.params('petId')"
}
}
responses:
"default":
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"BAD.*":
statusCode: "400"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
"INT.*":
statusCode: "500"
responseParameters:
method.response.header.Access-Control-Allow-Origin : "'*'"
responses:
200:
description: A pet
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Pet'
400:
description: Bad request
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
500:
description: Internal error
headers:
Access-Control-Allow-Origin:
type: "string"
schema:
$ref: '#/definitions/Error'
options:
summary: CORS support
description: |
Enable CORS by returning correct headers
consumes:
- application/json
produces:
- application/json
tags:
- CORS
x-amazon-apigateway-integration:
type: mock
requestTemplates:
application/json: |
{
"statusCode" : 200
}
responses:
"default":
statusCode: "200"
responseParameters:
method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key'"
method.response.header.Access-Control-Allow-Methods : "'*'"
method.response.header.Access-Control-Allow-Origin : "'*'"
responseTemplates:
application/json: |
{}
responses:
200:
description: Default response for CORS method
headers:
Access-Control-Allow-Headers:
type: "string"
Access-Control-Allow-Methods:
type: "string"
Access-Control-Allow-Origin:
type: "string"
definitions:
User:
properties:
username:
type: string
description: A unique username for the user
password:
type: string
description: A password for the new user
RegisterUserResponse:
properties:
username:
type: string
description: The username of the new user
identityId:
type: string
description: The unique identifier for the new user
token:
type: string
description: An OpenID token for the new user
credentials:
type: object
properties:
accessKey:
type: string
description: Temporary access key to sign requests
secretKey:
type: string
description: Temporary secret access key to sign requests
sessionToken:
type: string
description: Tempoarary session token
expiration:
type: integer
description: |
Expiration date of the temporary credentials in millis since 1/1/1970
LoginUserResponse:
properties:
identityId:
type: string
description: The unique identifier for the new user
token:
type: string
description: An OpenID token for the new user
credentials:
type: object
properties:
accessKey:
type: string
description: Temporary access key to sign requests
secretKey:
type: string
description: Temporary secret access key to sign requests
sessionToken:
type: string
description: Tempoarary session token
expiration:
type: integer
description: |
Expiration date of the temporary credentials in millis since 1/1/1970
NewPet:
properties:
petType:
type: string
description: Free text pet type
petName:
type: string
description: Free text pet name
petAge:
type: integer
description: Age of the new pet
NewPetResponse:
properties:
petId:
type: string
description: The generated unique identifier for the new pet
Pet:
properties:
petId:
type: string
description: The generated unique identifier for the new pet
petType:
type: string
description: Free text pet type
petName:
type: string
description: Free text pet name
petAge:
type: integer
description: Age of the new pet
Pets:
type: array
items:
$ref: Pet
Error:
properties:
code:
type: integer
format: int32
message:
type: string
fields:
type: string
内容很长,不要害怕,分解开来就简单了。把复杂的事情分解一下就变简单了。
设置触发的lambda 函数
x-amazon-apigateway-integration:
type: "aws_proxy"
httpMethod: "POST"
uri: "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:<accountId>:function:<function-name>/invocations"
credentials: "arn:aws:iam::<accountId>:role/<role-name>"
- x-amazon-apigateway-integration 代表集成apigateway
- type 代表使用了lambda代理
- httpMethod 必须是POST
- uri就是lambda的路径
- credentials: 这个是证书的意思,比较复杂。不写也可以集成,但是你会发现无法让API gateway 触发lamnda,会报permission之类的错误
设置 credentials
- 首先要创建一个角色
- 要给这个角色赋予AWSLambdaFullAccess的policy权限
- 要让这个角色相信api gateway(role>>Trust relationships>>edit>>save)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
- 要让设置在swagger中的用户拥有passRole的权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PolicyStatementToAllowUserToPassOneSpecificRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<accountId>:role/swagger-role"
}
]
}
- 把这个policy添加给用户。这样设置给swagger的aws用户就拥有PassRole的权限了,这样写到credentials的role-那么就能发挥作用了。
设置api gateway的 authorise 验证,
securityDefinitions:
cognito_auth:
type: "apiKey"
name: "accessToken"
in: "header"
x-amazon-apigateway-authtype: "cognito_user_pools"
x-amazon-apigateway-authorizer:
type: "cognito_user_pools"
providerARNs: ["arn:aws:cognito-idp:us-west-2:<accountId>:userpool/<userpoolId>"]
request_lambda_auth:
type: "apiKey"
name: "Unused"
in: "header"
x-amazon-apigateway-authtype: "custom"
x-amazon-apigateway-authorizer:
type: "request"
identitySource : "method.request.header.access_key, method.request.header.access_type"
authorizerUri: "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:<accountId>:function:<lambda name>/invocations"
authorizerResultTtlInSeconds : 300
- 这样 写好后,你就可以将cognito_auth 或者request_lambda_auth 放置到每个API的security下了
设置 api gateway的错误返回模版
x-amazon-apigateway-gateway-responses:
BAD_REQUEST_PARAMETERS:
statusCode: 400
responseTemplates:
application/json: "{\"error\":{\"code\":400,\"name\":\"ParameterIncorrectException\",\"message\": $context.error.messageString} }"
