Layer7 API Management

Hi Guys,

Has any one configured lookup / query / GetItem in dynamodb from apigw? I'm struggling to get it work, so far I have configured these in my policy

1. Set Context variable - JSON Payload

{
   Key: {
    'ID' : {S: 'token'},
    'Status' :  {N: '1'}
   },
   TableName: 'token-table'
  }

2. AWS 4 Signer - configured resource, aws access_id and key

3. Route via Http - http://dynamodb.ap-southeast-2.amazonaws.com/${aws4auth.resource}

with POST and RequestSource = context var from step 1

Headers set as below:

Authorization: ${aws4Auth.http.Authorization}

X-Amz-Date: ${aws4Auth.http.X-Amz-Date}

x-amz-content-sha256: ${aws4Auth.http.x-amz-content-sha256}

X-Amz-Target: DynamoDB_20120810.GetItem

I get ---> {"__type":"com.amazon.coral.service#SerializationException"}

Would appreciate any help with this.

Thanks,

Kunal

Dear Kunal,

It seems you copied the sample from aws document,

in X-Amz-Target: DynamoDB_20120810.GetItem

DynamoDB_20120810 should be your real dynamodb name.

I also doubt with the route via http url, as per example in DynamoDB Low-Level API - Amazon DynamoDB , you should not need ${aws4auth.resource} in the url

from Examples of the Complete Version 4 Signing Process (Python) - Amazon Web Services , there is python example to access dynamodb, so to configure your AWS 4 Signer assertion, you should not need to set resource field,

only following filed,

You may set method, service, host, region, endpoint, etc. for AWS 4 Signer assertion as the example as below,

# AWS Version 4 signing example 
# DynamoDB API (CreateTable) 
# See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html 
# This version makes a POST request and passes request parameters 
# in the body (payload) of the request. Auth information is passed in 
# an Authorization header. import sys, os, base64, datetime, hashlib, hmac import requests 
# pip install requests 
# ************* REQUEST VALUES ************* 
method = 'POST'
service = 'dynamodb'
host = 'dynamodb.us-west-2.amazonaws.com'
region = 'us-west-2'
endpoint = 'https://dynamodb.us-west-2.amazonaws.com/'
# POST requests use a content type header. For DynamoDB, 
# the content is JSON. 

content_type = 'application/x-amz-json-1.0'

# DynamoDB requires an x-amz-target header that has this format: 
# DynamoDB_<API version>.<operationName> 

amz_target = 'DynamoDB_20120810.CreateTable'

Regards,

Mark

Maybe I have misunderstanding on X-Amz-Target, it should name of operation --

DynamoDB_<API version>.<operationName>

Thanks Mark - for AWS 4 Signer assertion resource is a mandatory field.

I removed ${aws4auth.resource} in the url from Route assertion, now I get following error

{"__type":"com.amazon.coral.service#InvalidSignatureException","message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}

So, the AWS 4 Signer assertion didn't generate the correct signature.

What did you put in the resource field? you may try slash(/) only

Finally got this working with below configurations. Thanks for your assistance Mark!