Hey All, I hope you're all doing well. I'm currently working on implementing AWS authorization for my Cerbos DPD server, and I've encountered some challenges. I found the way how implement Cognito Authorization https://cerbos.dev/blog/using-aws-cognito-with-cerbos-how-to. Is there another way to use AWS Authentication with the Cerbos GRPC client? I need to add headers like Authorization: '...' 'X-Amz-Security-Token': '...' 'X-Amz-Date': '...' 'Content-Type': 'application/json' The authorization header contains a hashed payload.

Hi. Are you using the Cerbos Python SDK?

I will use Javascript

I think the http client has support for this already. I am not sure about the grpc client. I'll check.

Now I just manually created the headers using aws sdk and "got" library added headers and got a response from the cerbos server. Thinking about how to implement Cerbos SDK now to "super-charge" it.

Looks like it's not implemented on the grpc client. We'll look into adding support for that very soon.

Thank you!

Yes, definitely. Cerbos is for making authorization decisions after you have authenticated your users using Cognito or any other authentication provider (IdP). Because you provide Cerbos with all the data it needs to make authorization decisions, your choice of identity provider has no impact on Cerbos.

Hi -- @Alexey Brambalov is working with me on this same issue. We can use the HTTP client rather than the RPC client, but for us, the challenge is this. Our Cerbos Server is served from a containder in ECS and fronted by an NLB that requires AWS IAM Authentication in order to be invoked. We are trying to figure out how to pass AWS's credential headers through the JavaScript SDK -- via a vanilla HTTP request we can do it, but we need a way to pass this credential data into the SDK.

Yeah, I understand. The http Javascript client has support for adding custom headers to the request though

Options

https://github.com/cerbos/cerbos-sdk-javascript/blob/main/docs/http.options.md. It was added for this exact reason.

1 more question -- AWS IAM Authentication requires an HMAC header which is a hash over the entire HTTP body. How can I ask the SDK to give me the body before it POSTs it so that I can calculate the HMAC header?

Hmm.. I don't think that's possible. AWS supports specifying a set of signed headers in the request, doesn't it? So I think that might be the way to go.

that signed set of headers, includes the HMAC, which requires the HTTP body in its entirety as an input

It's been a while since I used AWS but IIRC signing the payload is optional, isn't it?

nope, not as far as I can tell.

According to https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html, I think you can set the

UNSIGNED-PAYLOAD

header.

interesting -- we'll try this out, but this is S3 docs, not API G/W docs, but it might still work.

but this is S3 docs, not API G/W docs, but it might still work.

I got there from https://docs.aws.amazon.com/IAM/latest/UserGuide/aws-signing-authentication-methods.html so I think it applies to all signed requests. I don't think it's quite straightforward to support full payload signing in the Cerbos SDK in a maintainable way because you need to be able to canonicalize the request and basically have a lot of invasive control over the request lifecycle in order to do it. So, I don't think we would be able to support that in the short term. That being said, the Cerbos API is extremely simple and you could very easily write your own client to access it. Some of our users already do that.

ok -- noted.