aws-api-gateway-authz

command module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 8, 2021 License: Apache-2.0 Imports: 4 Imported by: 0

README

aws-api-gateway-authz

This package showcases an example of how Open Policy Agent (OPA) can be used as a Policy Decision Point (PDP) to provide featureful access control.

This package contains:

Builtins

We've implemented two new builtin functions.

- build.geo_from_ip(ip_address)

Returns a detailed geolocation object for the given ip_address using the Maxmind GeoLite2 Database.

We can define access control based on geolocation using this builtin.

In the example, we use it to check where a request to our AWS API Gateway endpoint is coming from, and allow/deny access based on this information.

- build.rate_limit(key, limit)

For a predefined RATE_LIMITER_DURATION, returns false for the the first limit times it is called within the duration. Returns true if it has been called more than limit times within the given duration.

This builtin provides a flexible way to implement rate-limiting on any operation. It needs to be connected to a Redis server: you can set it up yourself, or use solutions like AWS ElastiCache (managed Redis).

Because it uses shared memory, this function is safe for use across multiple PDPs. If they are connected to the same Redis server, we can expect the results to be consistent for the given key and limit across all PDPs.

In the example, we use it to rate-limit requests made to our AWS API Gateway endpoint.

Start up the PDP

After setting up Redis, you can use our Docker image to run the PDP:

docker pull buildsecurity/api-gw-pdp
docker exec \
    -e RATE_LIMITER_REDIS_ENDPOINT=<your Redis endpoint> \
    -e RATE_LIMITER_REDIS_PASSWORD=<your Redis password, if you've set one> \
    -e RATE_LIMITER_DURATION=<the duration basis for rate-limiting> \
    -p 8181:8181 \
    --name pdp
    buildsecurity/api-gw-pdp

Try the builtins using the CLI

After starting the PDP as described above, on a separate terminal, run

docker exec -it pdp ./api_gw_pdp run

You are now in OPA interactive mode. Try, for example,

build.geo_from_ip("8.8.8.8")

Build from scratch

The build downloads Maxmind geolocation assets and packages them into the PDP. To build from scratch, you need to create a MaxMind account and generate a license key.

Then run

MAXMIND_LICENSE_KEY=<your license> make fetch-assets && make build

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
geoip
ratelimit
ratelimit/ratelimiter

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.