Usage
Credential management
The following shell code snippet shows how one can list the available credentials. (Of course initially it will be empty, and after one imports a set of credentials their identifiers will appear.)
Listing available credentials
$$$ curl http://127.0.0.1:60606/credentials >>> ["amazon"]
The following snippet shows how one can import an |AWS| compliant credential; the identifier of the credential is amazon, however one can import multiple |AWS| credentials under different identifiers.
Importing a new credential
$$$ curl \ --request PUT \ --header 'content-type: application/json' \ --data-binary @/dev/stdin \ http://127.0.0.1:60606/credentials/amazon \ <<'EOS' { "access-key" : "AKIDEXAMPLE", "secret-key" : "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" } EOS >>> true
Modules and operations management
The following snippet shows the available modules, which in the current version only the one for |AWS| is implemented.
Listing available modules
$$$ curl http://127.0.0.1:60606/modules >>> ["aws"]
The following snippet show the available operations, in the current case the ones for |AWS|, for which only the forth version of the signature scheme exists.
Listing available operations for a module
$$$ curl http://127.0.0.1:60606/modules/aws/operations >>> ["query-authenticate-v4"]
Authenticating a call
The following snippet shows how one can ask the credential service to sign an |AWS| call with the credentials identified by the token amazon. The meaning of the inputs is the following:
- region represents the targeted region; (on the |AWS| documentation there is a complete list of such constants;)
- service represents the identifier of the targeted region; (on the |AWS| documentation there is a complete list of such constants;)
- timestamp represents the timestamp at which the request was signed, and the time drift between the client and the |AWS| service must be at most 30 seconds; (moreover the credential service must check that the timestamp is not too far in the future or in the past;)
- request is the fingerprint of the request, which depending on the actual request is computed in various ways;
Executing an operation over a credential
curl \
--request POST \
--header 'content-type: application/json' \
--data-binary @/dev/stdin \
http://127.0.0.1:60606/modules/aws/operations/query-authenticate-v4/amazon \
<<'EOS'
{
"region" : "us-east-1",
"service" : "host",
"timestamp" : 1315611360000,
"request" : "0846c2945b0832deb7a463c66af5c4f8bd54ec28c438e67a214445b157c9ddf8"
}
EOS
>>> {
"credential" : "AKIDEXAMPLE/20110909/us-east-1/host/aws4_request",
"signature" : "56c054473fd260c13e4e7393eb203662195f5d4a1fada5314b8b52b23f985e9f"
}It must be noted that basically the library code has to be updated so that instead of using these inputs and combining them with the credentials, it makes a call to the credential service providing these inputs, and obtaining the outputs it would normally compute itself in-process.