https://cerbos.dev logo
#help
Title
# help
a

Alexey Brambalov

12/12/2023, 11:03 AM
Hey All, I hope you're all doing well. I'm currently working on implementing AWS authorization for my Cerbos DPD server, and I've encountered some challenges. I found the way how implement Cognito Authorization https://cerbos.dev/blog/using-aws-cognito-with-cerbos-how-to. Is there another way to use AWS Authentication with the Cerbos GRPC client? I need to add headers like Authorization: '...' 'X-Amz-Security-Token': '...' 'X-Amz-Date': '...' 'Content-Type': 'application/json' The authorization header contains a hashed payload.
c

Charith (Cerbos)

12/12/2023, 11:11 AM
Hi. Are you using the Cerbos Python SDK?
a

Alexey Brambalov

12/12/2023, 11:16 AM
I will use Javascript
c

Charith (Cerbos)

12/12/2023, 11:19 AM
I think the http client has support for this already. I am not sure about the grpc client. I'll check.
a

Alexey Brambalov

12/12/2023, 11:19 AM
Now I just manually created the headers using aws sdk and "got" library added headers and got a response from the cerbos server. Thinking about how to implement Cerbos SDK now to "super-charge" it.
c

Charith (Cerbos)

12/12/2023, 11:22 AM
Looks like it's not implemented on the grpc client. We'll look into adding support for that very soon.
a

Alexey Brambalov

12/12/2023, 11:22 AM
Thank you!
But I can use Cognito authentication right?
c

Charith (Cerbos)

12/12/2023, 11:26 AM
Yes, definitely. Cerbos is for making authorization decisions after you have authenticated your users using Cognito or any other authentication provider (IdP). Because you provide Cerbos with all the data it needs to make authorization decisions, your choice of identity provider has no impact on Cerbos.
b

Bradey Wood

12/12/2023, 11:33 AM
Hi -- @Alexey Brambalov is working with me on this same issue. We can use the HTTP client rather than the RPC client, but for us, the challenge is this. Our Cerbos Server is served from a containder in ECS and fronted by an NLB that requires AWS IAM Authentication in order to be invoked. We are trying to figure out how to pass AWS's credential headers through the JavaScript SDK -- via a vanilla HTTP request we can do it, but we need a way to pass this credential data into the SDK.
note that the AWS IAM creds are for a service account that we use to secure inter-account comms -- these creds are nothing to do with the end-user's authentication, nor are we needing to pass any JWTs or such stuff into cerbos.
Note also that the HTTP call that we are making here, is server side (from a lambda in one AWS account to our cerbos service in another AWS account).
c

Charith (Cerbos)

12/12/2023, 11:37 AM
Yeah, I understand. The http Javascript client has support for adding custom headers to the request though
Options
https://github.com/cerbos/cerbos-sdk-javascript/blob/main/docs/http.options.md. It was added for this exact reason.
b

Bradey Wood

12/12/2023, 11:44 AM
1 more question -- AWS IAM Authentication requires an HMAC header which is a hash over the entire HTTP body. How can I ask the SDK to give me the body before it POSTs it so that I can calculate the HMAC header?
c

Charith (Cerbos)

12/12/2023, 11:48 AM
Hmm.. I don't think that's possible. AWS supports specifying a set of signed headers in the request, doesn't it? So I think that might be the way to go.
b

Bradey Wood

12/12/2023, 11:51 AM
that signed set of headers, includes the HMAC, which requires the HTTP body in its entirety as an input
c

Charith (Cerbos)

12/12/2023, 12:12 PM
It's been a while since I used AWS but IIRC signing the payload is optional, isn't it?
b

Bradey Wood

12/12/2023, 12:15 PM
nope, not as far as I can tell.
c

Charith (Cerbos)

12/12/2023, 12:17 PM
According to https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html, I think you can set the
UNSIGNED-PAYLOAD
header.
b

Bradey Wood

12/12/2023, 1:16 PM
interesting -- we'll try this out, but this is S3 docs, not API G/W docs, but it might still work.
@Charith (Cerbos) -- how much of a PITA would it be to enable a mechanism to sign the payload prior to calling the server? We're evaluating options here, so your answer will help us with how we chose to proceed.
c

Charith (Cerbos)

12/12/2023, 1:44 PM
but this is S3 docs, not API G/W docs, but it might still work.
I got there from https://docs.aws.amazon.com/IAM/latest/UserGuide/aws-signing-authentication-methods.html so I think it applies to all signed requests. I don't think it's quite straightforward to support full payload signing in the Cerbos SDK in a maintainable way because you need to be able to canonicalize the request and basically have a lot of invasive control over the request lifecycle in order to do it. So, I don't think we would be able to support that in the short term. That being said, the Cerbos API is extremely simple and you could very easily write your own client to access it. Some of our users already do that.
b

Bradey Wood

12/12/2023, 2:10 PM
ok -- noted.