Usage

Credential management

The following shell code snippet shows how one can list the available credentials. (Of course initially it will be empty, and after one imports a set of credentials their identifiers will appear.)

Listing available credentials

$$$ curl http://127.0.0.1:60606/credentials

>>> ["amazon"]

The following snippet shows how one can import an |AWS| compliant credential; the identifier of the credential is amazon, however one can import multiple |AWS| credentials under different identifiers.

Importing a new credential

$$$ curl \
        --request PUT \
        --header 'content-type: application/json' \
        --data-binary @/dev/stdin \
        http://127.0.0.1:60606/credentials/amazon \
<<'EOS'
{
    "access-key" : "AKIDEXAMPLE",
    "secret-key" : "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"
}
EOS

>>> true

Modules and operations management

The following snippet shows the available modules, which in the current version only the one for |AWS| is implemented.

Listing available modules

$$$ curl http://127.0.0.1:60606/modules

>>> ["aws"]

The following snippet show the available operations, in the current case the ones for |AWS|, for which only the forth version of the signature scheme exists.

Listing available operations for a module

$$$ curl http://127.0.0.1:60606/modules/aws/operations

>>> ["query-authenticate-v4"]

Authenticating a call

The following snippet shows how one can ask the credential service to sign an |AWS| call with the credentials identified by the token amazon. The meaning of the inputs is the following:

  • region represents the targeted region; (on the |AWS| documentation there is a complete list of such constants;)
  • service represents the identifier of the targeted region; (on the |AWS| documentation there is a complete list of such constants;)
  • timestamp represents the timestamp at which the request was signed, and the time drift between the client and the |AWS| service must be at most 30 seconds; (moreover the credential service must check that the timestamp is not too far in the future or in the past;)
  • request is the fingerprint of the request, which depending on the actual request is computed in various ways;

Executing an operation over a credential

curl \
        --request POST \
        --header 'content-type: application/json' \
        --data-binary @/dev/stdin \
        http://127.0.0.1:60606/modules/aws/operations/query-authenticate-v4/amazon \
<<'EOS'
{
    "region" : "us-east-1",
    "service" : "host",
    "timestamp" : 1315611360000,
    "request" : "0846c2945b0832deb7a463c66af5c4f8bd54ec28c438e67a214445b157c9ddf8"
}
EOS

>>> {
    "credential" : "AKIDEXAMPLE/20110909/us-east-1/host/aws4_request",
    "signature" : "56c054473fd260c13e4e7393eb203662195f5d4a1fada5314b8b52b23f985e9f"
}

It must be noted that basically the library code has to be updated so that instead of using these inputs and combining them with the credentials, it makes a call to the credential service providing these inputs, and obtaining the outputs it would normally compute itself in-process.

Docutils System Messages

System Message: ERROR/3 (<string>, line 24); backlink

Undefined substitution referenced: "AWS".

System Message: ERROR/3 (<string>, line 24); backlink

Undefined substitution referenced: "AWS".

System Message: ERROR/3 (<string>, line 49); backlink

Undefined substitution referenced: "AWS".

System Message: ERROR/3 (<string>, line 60); backlink

Undefined substitution referenced: "AWS".

System Message: ERROR/3 (<string>, line 75); backlink

Undefined substitution referenced: "AWS".

System Message: ERROR/3 (<string>, line 77); backlink

Undefined substitution referenced: "AWS".

System Message: ERROR/3 (<string>, line 78); backlink

Undefined substitution referenced: "AWS".

System Message: ERROR/3 (<string>, line 79); backlink

Undefined substitution referenced: "AWS".