API Gateway + LambdaのAPIにIAM認証で署名付きリクエストを送る（javascript, typescript）

概要

APIGatewayのREST APIを使って構築したweb APIをIAM認証（accesskeyとsecretkeyを使った認証）で署名付きのリクエストを送信するサンプル。

参考にさせていただいた記事

• API GatewayでAPIにIAM認証をかけて、Node.jsでSigV4署名ヘッダを作成してリクエストしてみる
• AWS - Lambda function URLs を IAM 署名付きでリクエストしてみる

IAMは対象のLamda関数のARNを指定した、 lambda:InvokeFunctionUrl のアクションのみを許可したユーザを作成しています。

javascriptとtypescriptのケース両方使うことがあるので、自分用のメモとして参考にさせていただいた記事のコードを少し書き直してます。

実装

javascript

$ npm install --dev aws-sdk axios

const core = require('aws-sdk/lib/core');
const aws = require('aws-sdk');
const axios = require('axios');

// アクセスキーとシークレットアクセスキーを設定
const accessKey = 'xxxxxxx';
const secretKey = 'xxxxxxx';
const credential = new aws.Credentials(accessKey, secretKey);


function main() {
  const serviceName = "execute-api";

  const url = "https://xxxxxxxxx.execute-api.ap-northeast-1.amazonaws.com/prod/";

  const options = {
    url: url,
    headers: {}
  };

  const parts = options.url.split("?");
  const host = parts[0].substr(8, parts[0].indexOf("/", 8) - 8);
  const path = parts[0].substr(parts[0].indexOf("/", 8));
  const querystring = parts[1];
  const data = {
    /* payload */
  };

  const now = new Date();
  options.headers.host = host;
  options.pathname = () => path;
  options.methodIndex = 'post';
  options.search = () => querystring ? querystring : "";
  options.region = 'ap-northeast-1';
  options.method = 'POST';
  options.body = JSON.stringify(data);

  const signer = new core.Signers.V4(options, serviceName);

  signer.addAuthorization(credential, now);

  axios.post(url, data, options).then((r) => {
    console.log(r);
  }).catch((e) => {
    console.error("failed to request: ", e.response.status, e.code, e.response.data);
  });
}

main();

Typescript

import axios from 'axios'
import { Credentials } from 'aws-sdk'
import { SignatureV4 } from '@aws-sdk/signature-v4'
import { Sha256 } from '@aws-crypto/sha256-js'
import { HttpRequest } from '@aws-sdk/protocol-http'

const main = async () => {
  const accessKey = 'xxxxxxxxx'
  const secretKey = 'xxxxxxxxx'
  const creds = new Credentials(accessKey, secretKey)

  const serviceName = 'execute-api'
  const url =
    'https://xxxxxxxxxxx.execute-api.ap-northeast-1.amazonaws.com/prod/'
  const parts = url.split('?')
  const host = parts[0].substr(8, parts[0].indexOf('/', 8) - 8)
  const path = parts[0].substr(parts[0].indexOf('/', 8))
  const data = {
    /* payload */
  }

  const req = new HttpRequest({
    headers: {},
    hostname: host,
    method: 'POST',
    path: path,
  })

  const signer = new SignatureV4({
    credentials: creds,
    region: 'ap-northeast-1',
    service: serviceName,
    sha256: Sha256,
  })
  const signedHttpRequest = await signer.sign(req)

  try {
    const r = await axios.post(url, data, signedHttpRequest)
    console.log(r)
  } catch (e: any) {
    console.error(e)
  }
}

main()