react-native-aws-signature icon indicating copy to clipboard operation
react-native-aws-signature copied to clipboard

Published 20 hours ago verified publisher icon leimd

What about temporary credentials?

Open Leon-Africa opened this issue 7 years ago • 5 comments

There seems to be no parameter to handle generated session token - for example when generating temp credentials via identity pool which via AWS STS returns session token.

In AWSSignature.js, the only set parameters for credentials is:

this.credentials.SecretKey this.credentials.AccessKeyId

Should allow for optional parameter to be fed into credentials for session_token, say this.credentials.SessionToken

This will cater for temp credentials that are generated via AWS Cognito Identity Pool Which returns accessid, secretid, and session_token.

Where:

AccessKeyId: The access key ID that identifies the temporary security credentials.

SecretAccessKey: The secret access key that can be used to sign requests.

SessionToken: The token that users must pass to the service API to use the temporary credentials.

As per: http://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html

This way can use temporary security credentials provided by the AWS Security Token Service (AWS STS) to sign a request. The process is the same as using long-term credentials, but requires an additional HTTP header or query string parameter for the security token. The name of the header or query string parameter is X-Amz-Security-Token, and the value is the session token (the string you received from AWS STS when you obtained temporary security credentials).

When you add the X-Amz-Security-Token parameter to the query string, some services require that you include this parameter in the canonical (signed) request. For other services, you add this parameter at the end, after you calculate the signature.

As per: http://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html

Therefore in options allow additional header: X-Amz-Security-Token (Optional) and for credentials this.session_token(Optional)

Leon-Africa avatar Jun 14 '17 10:06 Leon-Africa

Actually no need change for temp credential because the X-Amz-Security-Token is not involved into the signature calculation. I have verified this by comparing the results from https://github.com/kndt84/aws-api-gateway-client and this component. the two authorization data are same.

wangghon avatar Jul 27 '17 06:07 wangghon

@leimd excuse the late reply - you have any ideas where we can start to build?

Leon-Africa avatar Jul 27 '17 07:07 Leon-Africa

@wangghon yes it is an optional parameter - you can sign without it.

The issue is when you want to make use of temporary session credentials. This uses a session token - as with AWS Cognito users.

Right now you can only use react-native-aws-signature using credentials that are not temporary as a session token is not associated.

see: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

Leon-Africa avatar Jul 27 '17 07:07 Leon-Africa

@Leon-Africa do you mean to build the session token in an App, then send the request with the session token to AWS? If yes, I do not think the component is your target, this component is only to calculate the signature based on access key id and security key locally. You can build AWS microservice(APIGateway + lambda) to access the AWS STS to get the session token, then app access the API gate way to get the session token.

Please correct me if my understanding is wrong

wangghon avatar Aug 05 '17 11:08 wangghon

@Leon-Africa do you have any solution for this?

vvavepacket avatar Aug 31 '17 01:08 vvavepacket