Metadata-Version: 2.1
Name: awscli-plugin-execute-api
Version: 0.0.1
Summary: Plugin to configure a single AWS CLI operation to invoke an API Gateway method
Home-page: https://github.com/nzoschke/awscli-plugin-execute-api
Author: Noah Zoschke
Author-email: noah@mixable.net
License: UNKNOWN
Platform: UNKNOWN
Classifier: Programming Language :: Python :: 3
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: OS Independent
Description-Content-Type: text/markdown

# awscli-plugin-execute-api

Plugin to configure a single AWS CLI operation to invoke an API Gateway / Lambda method

## Quick Start

### Install with pip

```shell
$ pip install awscli-plugin-execute-api
```

If you installed `awscli` with Homebrew, use its bundled Python:

```shell
$ /usr/local/opt/awscli/libexec/bin/pip install awscli-plugin-execute-api
```

### Register the plugin

```shell
$ aws configure set plugins.execute-api awscli_plugin_execute_api
```

### Configure an operation endpoint

First configure a profile for the IAM with `execute-api:Invoke` permission:

```shell
$ export AWS_PROFILE=myprofile

$ aws configure
AWS Access Key ID [None]: AKIA...
AWS Secret Access Key [None]: pWim...
Default region name [None]: us-east-1
Default output format [None]: json
```

Next configure the plugin for an operation and its API Gateway invocation URL:

```shell
$ aws configure set dynamodb.update-table https://m303r7o808.execute-api.us-east-1.amazonaws.com/Prod/update-table
```

<details>
<summary>You can review or manually configure `$HOME/.aws/config`...</summary>

```conf
[plugins]
execute-api = awscli_plugin_execute_api

[profile myprofile]
region = us-east-1
output = json
dynamodb =
    update-table = https://m303r7o808.execute-api.us-east-1.amazonaws.com/Prod/update-table
```
</details>

### Run an operation

Now run a command:

```shell
$ aws dynamodb update-table --table-name $TABLE_NAME --sse-specification Enabled=false
An error occurred (ValidationException) when calling the UpdateTable operation: Custom error from Lambda handler
```

<details>
<summary>You can use the `--debug` flag to verify the endpoint...</summary>

```shell
$ aws dynamodb update-table --debug --table-name $TABLE_NAME
Plugin awscli_plugin_execute_api: Config [myprofile] dynamodb.update-table => URL https://m303r7o808.execute-api.us-east-1.amazonaws.com/Prod/update-table
Plugin awscli_plugin_execute_api: renamed X-Amz-Target DynamoDB_20120810.UpdateTable

$ aws dynamodb describe-table --debug --table-name $TABLE_NAME
Plugin awscli_plugin_execute_api: Config [myprofile] dynamodb.describe-table not found
```
</details>

## Motivation

For security reasons we'd like to give an IAM user access to a **limited subset** of an AWS API call functionality. For example on the `dynamodb update-table` operation we'd like to allow a user to modify:

* Global indexes

But disallow them to modify:

* Provisioned throughput
* Streams
* Server side encryption

A "serverless" solution includes:

* IAM User
    * Policy that disallows `dynamodb:UpdateTable`
    * Policy that allows `execute-api:Invoke` on an API Gateway resource
    * Access keys

* API Gateway Method
    * URL to POST an `update-table` request
    * AWS_IAM authorization

* Lambda Function
    * Policy that allows `dynamodb:UpdateTable`
    * Code that validates and performs `update-table` request

* AWS CLI
    * Custom endpoint URL for `dynamodb update-table` command
    * Request signature for API Gateway

This plugin registers a URL for a single CLI operation and automatically uses it.

```shell
$ aws configure set dynamodb.update-table https://m303r7o808.execute-api.us-east-1.amazonaws.com/Prod/update-table
$ aws dynamodb update-table --table-name $TABLE_NAME --sse-specification Enabled=false
An error occurred (ValidationException) when calling the UpdateTable operation: Modifying SSESpecification is not allowed
```

## Troubleshooting

### IAM

The CLI user needs [API execution permissions](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-iam-policy-examples-for-api-execution.html):

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:execute-api:us-east-1:303718836660:m303r7o808/*/POST/update-table"
            ]
        }
    ]
}
```

### Lambda

The CLI operation is in the `X-Target` header, since `X-Amz-Target` 

## Credits

- https://github.com/wbingli/awscli-plugin-endpoint

