Provectus, profile picture
Uploaded byProvectus
PPTX, PDF346 views

How to implement authorization in your backend with AWS IAM

This document discusses implementing authorization in a backend environment using AWS IAM, emphasizing the importance of secure credential management across various services. It outlines a framework for generating signed STS requests to authenticate users and acquire JWT tokens for API access. Several practical examples and code snippets illustrate the implementation process, while additional resources for deeper understanding are also provided.

Embed presentation

Download to read offline
How to implement authorization in your backend with AWS IAM
About me - 14 years in industry - DevOps Consultant at Provectus stanislav@ivashchenko.family Stanislav Ivashchenko DevOps Lead
Boost your career in Provectus
Typical app these days: many players https://commons.wikimedia.org/wiki/File:Pride_and_Prejudice_Character_Map.png
2 Questions for backend ● Service discovery ● Credentials
Login to your application
A new service starts up, where to get credentials? 1. Bake into ami or docker image or use a hardcode? 2. Provision with Chef/Puppet/Ansible/script over ssh? 3. Get from s3 bucket? 4. Parameter Store? 5. Vault? 6. Surprisingly many more ways, actually! 7. The questions is absolutely the same for any code you run: EC2, Lambda, ECS
S3, Parameter Store, Vault But how do you login there in the first place? Ah, IAM instance profiles!
Inspired by how Vault authenticates users https://www.hashicorp.com/resources/deep-dive-vault-aws-auth-backend
But why use Vault or Parameter Store, go directly with IAM and STS
WhoAmI Request on STS ● This is a cornerstone of the entire idea ● Such request actually exists: sts:GetCallerIdentity ● Signed requests live for 15 min ● Discussed https://github.com/hashicorp/vault/issues/948 ● Implemented in Vault https://github.com/hashicorp/vault/pull/1962
MiM used for good with STS
Example implementation ● API server - simple RoR api ● Client - python script ● https://github.com/sam50/ror_aws_iam_auth ● 2 instances, client has an EC2 instance profile with role
What Client is doing 1. Generates signed STS GetCallerIdentity request 2. Sends it to server http://<ip name>:3000/authenticate 3. Gets JWT Auth token 4. Uses that token to do things in API
def generate_sts_request(AppId): session = botocore.session.get_session() client = session.create_client('sts') endpoint = client._endpoint operation_model = client._service_model.operation_model('GetCallerIdentity') request_dict = client._convert_to_request_dict({}, operation_model) request_dict['headers']['X-APP-ID'] = AppId request = endpoint.create_request(request_dict, operation_model) return { 'iam_http_request_method': base64.b64encode(request.method), 'iam_request_url': base64.b64encode(request.url), 'iam_request_body': base64.b64encode(request.body), 'iam_request_headers': base64.b64encode(json.dumps(dict(request.headers))), }
$ ./api_client.py <AppId> http://<server>/authenticate Blah-blah-Debug {"auth_token":"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE1NTk5OTYyMjZ9.H9zjYGAIUwBZY 5Kb3KlF9eegTph9GmBBbLNrki1450U"} curl -H "Authorization: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE1NTk5OTYyMjZ9.H9zjYGAIUwBZY5Kb3KlF9eegT ph9GmBBbLNrki1450U" http://<server>:3000/items
What server is doing 1. A simple API ($rails new api1 --api) 2. Uses a JWT (gem 'jwt') 3. Uses simple command(gem 'simple_command') 4. Receives login(signed sts:GetCallerIdentity) at /authenticate 5. Sends signed request to STS* 6. (if-ok) Looks for the user by the Role ARN 7. (if-ok) issues a JWT token to the client
def authenticate_iam uri = URI.parse("https://sts.amazonaws.com/") http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true request = "Net::HTTP::#{@iam_http_request_method.capitalize}".constantize.new(uri.request_uri) request.set_form_data(Rack::Utils.parse_nested_query(@iam_request_body)) headers = JSON.parse(@iam_request_headers) headers.each do |header, value| request[header]=value end if headers['X-APP-ID'] != 'APP1-live' return false end response = http.request(request) . . . . . . . . . . . .
. . . . . . . . . . if response.code != '200' || response.body.empty? return false else xml = Nokogiri::XML(response.body) stsarn = xml.remove_namespaces!.xpath("GetCallerIdentityResponse/GetCallerIdentityResult/Arn").text if stsarn.empty? return false else return stsarn.gsub("arn:aws:sts","arn:aws:iam").gsub("assumed-role","role").gsub(//[A-z0-9-]*$/,"") end end return false end
git clone https://github.com/sam50/ror_aws_iam_auth cd ror_aws_iam_auth bundle install rake db:migrate rails c >User.create!(name:"client1", iamarn: "<Your role ARN here arn:aws:iam::xxxx:role/role-name") rails s -b 0.0.0.0 3000
Signed Request (b64Decoded) {"iam_request_body": "Action=GetCallerIdentity&Version=2011-06-15", "iam_request_url": "https://sts.amazonaws.com/", "iam_request_headers": "{"Content-Length": "X","X-Amz-Date": "X", "X-APP-ID": "AppId", "User- Agent": "Botocore/1.12.139 Python/2.7.15rc1 Linux/4.15.0-1032-aws", "X-Amz-Security-Token": "<Token>", "Content-Type": "application/x-www-form-urlencoded; charset=utf-8", "Authorization": "AWS4-HMAC-SHA256 Credential=<CredsID>, SignedHeaders=content-type;host;x-amz-date;x-amz- security-token;x-app-id, Signature=<Signiture>"}", "iam_http_request_method": "POST"}
Q&A
Thank you!
We are hiring!

More Related Content

ODP
Codegnitorppt
bysreedath c g
 
PDF
Global Windows Azure Bootcamp : Cedric Derue playing with php on azure. (spon...
byMUG-Lyon Microsoft User Group
 
DOCX
Microsoft identity platform and device authorization flow to use azure servic...
bySunil kumar Mohanty
 
PPT
Form demoinplaywithmysql
byKnoldus Inc.
 
PDF
Django の認証処理実装パターン / Django Authentication Patterns
byMasashi Shibata
 
PDF
Service Objects in Rails apps
byDawid Cichuta
 
PDF
Ajax Rails
byhot
 
KEY
IoC with PHP
byChris Weldon
 
Codegnitorppt
bysreedath c g
 
Global Windows Azure Bootcamp : Cedric Derue playing with php on azure. (spon...
byMUG-Lyon Microsoft User Group
 
Microsoft identity platform and device authorization flow to use azure servic...
bySunil kumar Mohanty
 
Form demoinplaywithmysql
byKnoldus Inc.
 
Django の認証処理実装パターン / Django Authentication Patterns
byMasashi Shibata
 
Service Objects in Rails apps
byDawid Cichuta
 
Ajax Rails
byhot
 
IoC with PHP
byChris Weldon
 

What's hot

PPTX
AngularJS training - Day 1 - Basics: Why, What and basic features of AngularJS
bymurtazahaveliwala
 
PPTX
Introduction to OAuth
byMikkel Flindt Heisterberg
 
PDF
UI5CN Live Webinar for FAQ and Q&A on 08th June
byAJAY NAYAK
 
PDF
devise tutorial - 2011 rubyconf taiwan
byTse-Ching Ho
 
PDF
Medium TechTalk — iOS
byjimmyatmedium
 
PDF
From mvc to viper
byKrzysztof Profic
 
PPTX
Angular Tutorial Freshers and Experienced
byrajkamaltibacademy
 
AngularJS training - Day 1 - Basics: Why, What and basic features of AngularJS
bymurtazahaveliwala
 
Introduction to OAuth
byMikkel Flindt Heisterberg
 
UI5CN Live Webinar for FAQ and Q&A on 08th June
byAJAY NAYAK
 
devise tutorial - 2011 rubyconf taiwan
byTse-Ching Ho
 
Medium TechTalk — iOS
byjimmyatmedium
 
From mvc to viper
byKrzysztof Profic
 
Angular Tutorial Freshers and Experienced
byrajkamaltibacademy
 

Similar to How to implement authorization in your backend with AWS IAM

PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
PDF
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
PPTX
Api security
byteodorcotruta
 
PPTX
Enhancing API Security and Privacy Through Hardening the Access Token | apida...
byCurity
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
PDF
Centralise legacy auth at the ingress gateway, SREday
byAndrew Kirkpatrick
 
PDF
Centralise legacy auth at the ingress gateway
byAndrew Kirkpatrick
 
PPTX
Funky serverless features at aws
byDoug Winter
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PDF
Practical API Security - Midwest PHP 2018
byAdam Englander
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
byHitachi, Ltd. OSS Solution Center.
 
PDF
Who’s Knocking? Identity for APIs, Web and Mobile
byNordic APIs
 
PDF
IT-Security@Contemporary Life
byOliver Pfaff
 
PPTX
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
byHitachi, Ltd. OSS Solution Center.
 
PDF
Oauth2.0
byiratao
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PDF
2016 pycontw web api authentication
byMicron Technology
 
PDF
OAuth Base Camp
byOliver Pfaff
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
Api security
byteodorcotruta
 
Enhancing API Security and Privacy Through Hardening the Access Token | apida...
byCurity
 
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
Centralise legacy auth at the ingress gateway, SREday
byAndrew Kirkpatrick
 
Centralise legacy auth at the ingress gateway
byAndrew Kirkpatrick
 
Funky serverless features at aws
byDoug Winter
 
Securing Web Applications with Token Authentication
byStormpath
 
Practical API Security - Midwest PHP 2018
byAdam Englander
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
byHitachi, Ltd. OSS Solution Center.
 
Who’s Knocking? Identity for APIs, Web and Mobile
byNordic APIs
 
IT-Security@Contemporary Life
byOliver Pfaff
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
byHitachi, Ltd. OSS Solution Center.
 
Oauth2.0
byiratao
 
Securing RESTful API
byMuhammad Zbeedat
 
2016 pycontw web api authentication
byMicron Technology
 
OAuth Base Camp
byOliver Pfaff
 

More from Provectus

PPTX
Choosing the right IDP Solution
byProvectus
 
PPTX
Intelligent Document Processing in Healthcare. Choosing the Right Solutions.
byProvectus
 
PPTX
Choosing the Right Document Processing Solution for Healthcare Organizations
byProvectus
 
PPTX
MLOps and Data Quality: Deploying Reliable ML Models in Production
byProvectus
 
PPTX
AI Stack on AWS: Amazon SageMaker and Beyond
byProvectus
 
PPTX
Feature Store as a Data Foundation for Machine Learning
byProvectus
 
PPTX
MLOps and Reproducible ML on AWS with Kubeflow and SageMaker
byProvectus
 
PPTX
Cost Optimization for Apache Hadoop/Spark Workloads with Amazon EMR
byProvectus
 
PPTX
ODSC webinar "Kubeflow, MLFlow and Beyond — augmenting ML delivery" Stepan Pu...
byProvectus
 
PDF
"Building a Modern Data platform in the Cloud", Alex Casalboni, AWS Dev Day K...
byProvectus
 
PDF
"How to build a global serverless service", Alex Casalboni, AWS Dev Day Kyiv ...
byProvectus
 
PDF
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
byProvectus
 
PDF
"Analyzing your web and application logs", Javier Ramirez, AWS Dev Day Kyiv 2...
byProvectus
 
PDF
"Resiliency and Availability Design Patterns for the Cloud", Sebastien Storma...
byProvectus
 
PDF
"Architecting SaaS solutions on AWS", Oleksandr Mykhalchuk, AWS Dev Day Kyiv ...
byProvectus
 
PDF
"Developing with .NET Core on AWS", Martin Beeby, AWS Dev Day Kyiv 2019
byProvectus
 
PDF
"How to build real-time backends", Martin Beeby, AWS Dev Day Kyiv 2019
byProvectus
 
PDF
"Integrate your front end apps with serverless backend in the cloud", Sebasti...
byProvectus
 
PDF
"Scaling ML from 0 to millions of users", Julien Simon, AWS Dev Day Kyiv 2019
byProvectus
 
PDF
Yurii Gavrilin | ML Interpretability: From A to Z | Kazan ODSC Meetup
byProvectus
 
Choosing the right IDP Solution
byProvectus
 
Intelligent Document Processing in Healthcare. Choosing the Right Solutions.
byProvectus
 
Choosing the Right Document Processing Solution for Healthcare Organizations
byProvectus
 
MLOps and Data Quality: Deploying Reliable ML Models in Production
byProvectus
 
AI Stack on AWS: Amazon SageMaker and Beyond
byProvectus
 
Feature Store as a Data Foundation for Machine Learning
byProvectus
 
MLOps and Reproducible ML on AWS with Kubeflow and SageMaker
byProvectus
 
Cost Optimization for Apache Hadoop/Spark Workloads with Amazon EMR
byProvectus
 
ODSC webinar "Kubeflow, MLFlow and Beyond — augmenting ML delivery" Stepan Pu...
byProvectus
 
"Building a Modern Data platform in the Cloud", Alex Casalboni, AWS Dev Day K...
byProvectus
 
"How to build a global serverless service", Alex Casalboni, AWS Dev Day Kyiv ...
byProvectus
 
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
byProvectus
 
"Analyzing your web and application logs", Javier Ramirez, AWS Dev Day Kyiv 2...
byProvectus
 
"Resiliency and Availability Design Patterns for the Cloud", Sebastien Storma...
byProvectus
 
"Architecting SaaS solutions on AWS", Oleksandr Mykhalchuk, AWS Dev Day Kyiv ...
byProvectus
 
"Developing with .NET Core on AWS", Martin Beeby, AWS Dev Day Kyiv 2019
byProvectus
 
"How to build real-time backends", Martin Beeby, AWS Dev Day Kyiv 2019
byProvectus
 
"Integrate your front end apps with serverless backend in the cloud", Sebasti...
byProvectus
 
"Scaling ML from 0 to millions of users", Julien Simon, AWS Dev Day Kyiv 2019
byProvectus
 
Yurii Gavrilin | ML Interpretability: From A to Z | Kazan ODSC Meetup
byProvectus
 

Recently uploaded

PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
PPTX
Redcentric Data Centres: vision, mission and values
byRedcentric
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
Redcentric Data Centres: vision, mission and values
byRedcentric
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 

How to implement authorization in your backend with AWS IAM

  • 1.
    How to implementauthorization in your backend with AWS IAM
  • 2.
    About me - 14years in industry - DevOps Consultant at Provectus [email protected] Stanislav Ivashchenko DevOps Lead
  • 3.
  • 4.
    Typical app thesedays: many players https://commons.wikimedia.org/wiki/File:Pride_and_Prejudice_Character_Map.png
  • 5.
    2 Questions forbackend ● Service discovery ● Credentials
  • 6.
    Login to yourapplication
  • 7.
    A new servicestarts up, where to get credentials? 1. Bake into ami or docker image or use a hardcode? 2. Provision with Chef/Puppet/Ansible/script over ssh? 3. Get from s3 bucket? 4. Parameter Store? 5. Vault? 6. Surprisingly many more ways, actually! 7. The questions is absolutely the same for any code you run: EC2, Lambda, ECS
  • 8.
    S3, Parameter Store,Vault But how do you login there in the first place? Ah, IAM instance profiles!
  • 9.
    Inspired by howVault authenticates users https://www.hashicorp.com/resources/deep-dive-vault-aws-auth-backend
  • 10.
    But why useVault or Parameter Store, go directly with IAM and STS
  • 11.
    WhoAmI Request onSTS ● This is a cornerstone of the entire idea ● Such request actually exists: sts:GetCallerIdentity ● Signed requests live for 15 min ● Discussed https://github.com/hashicorp/vault/issues/948 ● Implemented in Vault https://github.com/hashicorp/vault/pull/1962
  • 12.
    MiM used forgood with STS
  • 13.
    Example implementation ● APIserver - simple RoR api ● Client - python script ● https://github.com/sam50/ror_aws_iam_auth ● 2 instances, client has an EC2 instance profile with role
  • 14.
    What Client isdoing 1. Generates signed STS GetCallerIdentity request 2. Sends it to server http://<ip name>:3000/authenticate 3. Gets JWT Auth token 4. Uses that token to do things in API
  • 15.
    def generate_sts_request(AppId): session =botocore.session.get_session() client = session.create_client('sts') endpoint = client._endpoint operation_model = client._service_model.operation_model('GetCallerIdentity') request_dict = client._convert_to_request_dict({}, operation_model) request_dict['headers']['X-APP-ID'] = AppId request = endpoint.create_request(request_dict, operation_model) return { 'iam_http_request_method': base64.b64encode(request.method), 'iam_request_url': base64.b64encode(request.url), 'iam_request_body': base64.b64encode(request.body), 'iam_request_headers': base64.b64encode(json.dumps(dict(request.headers))), }
  • 16.
    $ ./api_client.py <AppId>http://<server>/authenticate Blah-blah-Debug {"auth_token":"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE1NTk5OTYyMjZ9.H9zjYGAIUwBZY 5Kb3KlF9eegTph9GmBBbLNrki1450U"} curl -H "Authorization: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE1NTk5OTYyMjZ9.H9zjYGAIUwBZY5Kb3KlF9eegT ph9GmBBbLNrki1450U" http://<server>:3000/items
  • 17.
    What server isdoing 1. A simple API ($rails new api1 --api) 2. Uses a JWT (gem 'jwt') 3. Uses simple command(gem 'simple_command') 4. Receives login(signed sts:GetCallerIdentity) at /authenticate 5. Sends signed request to STS* 6. (if-ok) Looks for the user by the Role ARN 7. (if-ok) issues a JWT token to the client
  • 18.
    def authenticate_iam uri =URI.parse("https://sts.amazonaws.com/") http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true request = "Net::HTTP::#{@iam_http_request_method.capitalize}".constantize.new(uri.request_uri) request.set_form_data(Rack::Utils.parse_nested_query(@iam_request_body)) headers = JSON.parse(@iam_request_headers) headers.each do |header, value| request[header]=value end if headers['X-APP-ID'] != 'APP1-live' return false end response = http.request(request) . . . . . . . . . . . .
  • 19.
    . . .. . . . . . . if response.code != '200' || response.body.empty? return false else xml = Nokogiri::XML(response.body) stsarn = xml.remove_namespaces!.xpath("GetCallerIdentityResponse/GetCallerIdentityResult/Arn").text if stsarn.empty? return false else return stsarn.gsub("arn:aws:sts","arn:aws:iam").gsub("assumed-role","role").gsub(//[A-z0-9-]*$/,"") end end return false end
  • 20.
    git clone https://github.com/sam50/ror_aws_iam_auth cdror_aws_iam_auth bundle install rake db:migrate rails c >User.create!(name:"client1", iamarn: "<Your role ARN here arn:aws:iam::xxxx:role/role-name") rails s -b 0.0.0.0 3000
  • 21.
    Signed Request (b64Decoded) {"iam_request_body":"Action=GetCallerIdentity&Version=2011-06-15", "iam_request_url": "https://sts.amazonaws.com/", "iam_request_headers": "{"Content-Length": "X","X-Amz-Date": "X", "X-APP-ID": "AppId", "User- Agent": "Botocore/1.12.139 Python/2.7.15rc1 Linux/4.15.0-1032-aws", "X-Amz-Security-Token": "<Token>", "Content-Type": "application/x-www-form-urlencoded; charset=utf-8", "Authorization": "AWS4-HMAC-SHA256 Credential=<CredsID>, SignedHeaders=content-type;host;x-amz-date;x-amz- security-token;x-app-id, Signature=<Signiture>"}", "iam_http_request_method": "POST"}
  • 22.
  • 23.
  • 24.