AWS API aut from oauth

Question

Firstly working with AWS api, so sorry for newbee question.

I need to access this endpoint

https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/declarations

to post declarations on this web

postingdeclaration.eu

I found config file on site

{
    "aws": {
        "enabled": true,
        "config": {
            "Auth": {
                "region": "eu-west-1",
                "mandatorySignIn": true,
                "clearStorageOnInit": false,
                "identityPoolId": "eu-west-1:adb74568-cac1-89b3-75e8-db123d6rtee9",
                "userPoolId": "eu-west-1_U8iuLTd6R",
                "userPoolWebClientId": "12db2t9v156qgdpsrlujjlc6kl",
                "oauth": {
                    "domain": "auth.postingdeclaration.eu",
                    "scope": [
                        "user",
                        "email",
                        "domain",
                        "firstName",
                        "lastName"
                    ],
                    "redirectSignIn": "https://www.postingdeclaration.eu/home",
                    "redirectSignOut": "https://ecas.ec.europa.eu/cas/logout",
                    "responseType": "code",
                    "identityProvider": "euLogin"
                }
            },
            "API": {
                "endpoints": [
                    {
                        "name": "Users",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/users"
                    },
                    {
                        "name": "Invitations",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/invitations"
                    },
                    {
                        "name": "Accounts",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/accounts"
                    },
                    {
                        "name": "Declarations",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/declarations"
                    },
                    {
                        "name": "RoadsideCheck",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/bo/declarations"
                    },
                    {
                        "name": "Drivers",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/drivers"
                    },
                    {
                        "name": "Operators",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/operators"
                    },
                    {
                        "name": "Requests",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/requests"
                    },
                    {
                        "name": "Documents",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/documents"
                    },
                    {
                        "name": "Messages",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/messages"
                    },
                    {
                        "name": "HistoryLog",
                        "region": "eu-west-1",
                        "endpoint": "https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/history-logs"
                    }
                ]
            }
        }
    }
}

I have only that config, endpoints, username and passwords from this website postingdeclaration.eu

I tryed use this script, but suck, my username and passwords is not equal to AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

import requests
from requests_aws4auth import AWS4Auth

session = requests.Session()
session.auth = AWS4Auth(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'eu-west-1', 'execute-api')

response = requests.get('https://b7dyyr5r1s.execute-api.eu-west-1.amazonaws.com/prod/declarations', auth=auth)

website geting aws keys from response

headers = {
    'authority': 'cognito-identity.eu-west-1.amazonaws.com',
    'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"',
    'sec-ch-ua-mobile': '?0',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36',
    'content-type': 'application/x-amz-json-1.1',
    'x-amz-content-sha256': 'Hash',
    'x-amz-target': 'AWSCognitoIdentityService.GetCredentialsForIdentity',
    'x-amz-user-agent': 'aws-amplify/2.3.0 js aws-amplify/2.3.0 js callback',
    'sec-ch-ua-platform': '"Windows"',
    'accept': '*/*',
    'origin': 'https://www.postingdeclaration.eu',
    'sec-fetch-site': 'cross-site',
    'sec-fetch-mode': 'cors',
    'sec-fetch-dest': 'empty',
    'referer': 'https://www.postingdeclaration.eu/',
    'accept-language': 'en-US,en;q=0.9',
}

data = '{"Logins":{"cognito-idp.eu-west-1.amazonaws.com/eu-west-1_M5iuBYd1C":"Hash"},"IdentityId":"eu-west-1:ID"}'

But how website generate hashes?

So how to write right syntax to use that type of config of AWS API?

Answer 1

Update:

Knowing that you are using OAuth with the euLogin Identity provider (https://auth.postingdeclaration.eu/) we will need to do the following:

1. Log in with the identity Provider and receive an access token ( you will need the client credentials: client_id, client_secret)
2. Do a HTTP request to the API Gateway and includes the access token

To do the first you need something like this:

import requests

client_id = ""
client_secret = ""
url = "https://auth.postingdeclaration.eu/"

response = requests.post(
    url,
    data={"grant_type": "client_credentials"},
    auth=(client_id, client_secret),
)
token = response.json()["access_token"]

Then you will be able to connect in the API with the returned token with something like this:

import requests

token = ""

headers = {'Authorization':  'Bearer ' + token}
api_url = 'https://XXXXXXXXXXX.execute-api.eu-west-1.amazonaws.com/stage/XXXXXXXXXXX'

r = requests.get(api_url, headers=headers)

---

You have some things to work to make this REST requests works on the API Gateway:

• First you need to have or know who have access on the AWS console, you are not able to work on settings/permissions only with this data that you have.

• Then, this config that you are sharing is an Amplify config, and if you check in Auth settings, this config is using the Cognito User Pools/ Identity Pools, so this can be the first place to check, check if you have permissions to talk with this API.

• Also, check the API gateway if the Authorizer is configured properly.

• And, you need to check the API settings and permissions (Is this API private? if so, you need to check the API Resource policy, is retricted to a VPC?)if not is it Public? Is the Authorizers configured properly?

• If everything is configured properly, and you want you use your AWS credentials (know that this is not a good security pattern) you will need to check the permissions for your IAM user

like the following:

{
"Version": "2012-10-17",
"Statement": [
    {
    "Effect": "Allow",
    "Action": [
        "execute-api:Invoke"
    ],
    "Resource": [
        "arn:aws:execute-api:us-east-1:*:*"
    ]
    }
]
}

In general, there are a lot of stuff to check and you need to have someone with permissions on this API and AWS account to help you.