serverlessunicorn
/ APIGW_websocket_IAM_Auth_HowTo
Last active
June 22, 2023 08:49
How to client-side IAM auth an Amazon API Gateway WebSocket connection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| async def connect(): | |
| # Create a version of the websocket client class that handles AWS sigv4 | |
| # authorization by overriding the 'write_http_request' method with the | |
| # logic to construct an x-amzn-auth header at the last possible moment. | |
| def class WebSocketSigv4ClientProtocol(WebSocketClientProtocol): | |
| def __init__(self, *args, **kwargs) -> None: | |
| super().__init__(*args, **kwargs) | |
| def write_http_request(self, path: str, headers) -> None: | |
| # Intercept the GET that initiates the websocket protocol at the point where | |
| # all of its 'real' headers have been constructed. Add in the sigv4 header AWS needs. |
serverlessunicorn
/ MediumCFArticle10.yaml
Created
September 30, 2019 23:23
TWagnerMediumBlogSampleCFTemplatePart10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Outputs: | |
| NATPunchWebSocketOutput: | |
| Description: NATPunch WebSocket created by CloudFormation | |
| Value: !Ref NATPunchWebSocket | |
| NATPunchFunctionOutput: | |
| Description: NATPunch's Lambda function as created by CloudFormation | |
| Value: !Ref NATPunchFunction | |
| NATPunchDatabaseOutput: | |
| Description: NATPunch's DynamoDB table as created by CloudFormation | |
| Value: !Ref NATPunchDatabase |
serverlessunicorn
/ MediumCFArticle9.yaml
Last active
September 30, 2019 22:26
TWagnerMediumBlogSampleCFTemplatePart9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NATPunch websocket deployment descriptor; see 'stage' below. | |
| NATPunchWebSocketDeployment: | |
| Type: AWS::ApiGatewayV2::Deployment | |
| # See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html for | |
| # an explanation on why the routes below are listed as explicit dependencies for | |
| # the API's deployment in CloudFormation. This feels like a bug/hack; hopefully AWS | |
| # fixes it over time. | |
| DependsOn: | |
| - NATPunchConnectRoute | |
| - NATPunchDisconnectRoute |
serverlessunicorn
/ MediumCFArticle8.yaml
Last active
April 18, 2020 13:44
TWagnerMediumBlogSampleCFTemplatePart8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The top-level websocket itself | |
| NATPunchWebSocket: | |
| Type: AWS::ApiGatewayV2::Api | |
| Properties: | |
| Name: NATPunchWebSocket | |
| ProtocolType: WEBSOCKET | |
| RouteSelectionExpression: "$request.body.action" | |
| # The builtin $connect path. This involves both a route | |
| # definition and its integration definition, which follows, as well as a |
serverlessunicorn
/ ediumCFArticle7.yaml
Created
September 30, 2019 21:14
TWagnerMediumBlogSampleCFTemplatePart7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NATPunchDatabase: | |
| Type: AWS::Serverless::SimpleTable | |
| Properties: | |
| TableName: !Sub 'NATPunchDatabase-${Stage}' # Keep consistent with DB envvar above | |
| PrimaryKey: | |
| Name: NATSourceIP | |
| Type: String |
serverlessunicorn
/ MediumCFArticle6.yaml
Created
September 30, 2019 20:39
TWagnerMediumBlogSampleCFTemplatePart6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NATPunchFunctionRole: | |
| Description: AWS Lambda NATPunch function role | |
| Type: AWS::IAM::Role | |
| Properties: | |
| # Heavily mangled to ensure we always know the origin and purpose of this role | |
| # just by looking at its name. | |
| RoleName: !Sub 'CodeStar-${ProjectId}-NATPunchFunctionRole-${Stage}' | |
| # All Lambda roles need to enable Lambda to assume them... | |
| AssumeRolePolicyDocument: | |
| Statement: |
serverlessunicorn
/ MediumCFArticle5.yaml
Created
September 30, 2019 20:33
TWagnerMediumBlogSampleCFTemplatePart5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NATPunchFunctionPythonDependenciesLayer: | |
| Type: AWS::Serverless::LayerVersion | |
| Properties: | |
| LayerName: natpuncher-python-dependencies | |
| Description: Python module dependencies required by the NATPuncher function | |
| ContentUri: python_dependencies/ | |
| CompatibleRuntimes: | |
| - python3.7 | |
| RetentionPolicy: Delete |
serverlessunicorn
/ ediumCFArticle4.yaml
Created
September 30, 2019 20:00
TWagnerMediumBlogSampleCFTemplatePart4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NATPunchFunction: | |
| Type: AWS::Serverless::Function | |
| Properties: | |
| Handler: natpunch.lambda_handler | |
| Runtime: python3.7 | |
| CodeUri: natpunch.py # Local name; cloudformation package will rewrite to S3 URI | |
| # Required Python modules are held in a Lambda layer; see the definition below. | |
| Layers: [!Ref NATPunchFunctionPythonDependenciesLayer] | |
| Role: !GetAtt NATPunchFunctionRole.Arn # Definition follows below | |
| Environment: |
serverlessunicorn
/ MediumCFArticle3.yaml
Created
September 30, 2019 19:51
TWagnerMediumBlogSampleCFTemplatePart3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Globals: | |
| Function: | |
| AutoPublishAlias: live | |
| # Deploy Lambda function updates via 5 minute canary rollout | |
| DeploymentPreference: | |
| Enabled: true | |
| Type: Canary10Percent5Minutes | |
| Role: !Ref CodeDeployRole |
serverlessunicorn
/ MediumCFArticle2.yaml
Created
September 30, 2019 19:44
TWagnerMediumBlogSampleCFTemplatePart2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Parameters: | |
| ProjectId: | |
| Type: String | |
| Description: CodeStar projectId used to associate new resources to team members | |
| CodeDeployRole: | |
| Type: String | |
| Description: IAM role to allow AWS CodeDeploy to manage deployment of AWS Lambda functions | |
| Stage: | |
| Type: String | |
| Description: The name for a project pipeline stage, such as Staging or Prod, for which resources are provisioned and deployed. |
NewerOlder