amazon web service - basics
TRANSCRIPT
AWS Basics
Sang-Min Park
API and clients• Well designed API made AWS successful
• Do you remember 2006?
• Community gathers around API
• Support a lot of PLs and Dev environment
• JAVA, PYTHON, RUBY, .NET, JS, etc…
Short history of API changes
• 2006: HTTP REST / SOAP for S3/EC2/SQS
• 2012: SigV4 Introduced
• 2014: SOAP deprecated
• ? : Deprecating SigV2
Current API: Query
w/ SigV4
HTTP REST• Use HTTP VERB
• GET / PUT / POST / DELETE
• Don’t necessarily map CRUD
• Query String
• http://delicious.com/post?url=http://domain.tld/&title=The title of a post
• HTTP Header
• HTTP Body
AWS Query API• Use HTTP GET/POST
• Use HTTP Header, Query String, Body (POST)
• A request includes:
• Service Endpoint (ec2.amazonaws.com)
• API Action (RunInstances, CreateBucket, … )
• Action’s parameters (# of instances, Bucket name, …)
• Authentication Parameters
• A response includes:
• Code 200: action’s return data in XML (JSON for newer service, RAW data for S3)
• Code 40X: AuthFailure, InvalidAction, InvalidParameter, …
Query APIUsing GET, auth info in Query Param
https://ec2.amazonaws.com/?Action=RunInstances &ImageId=ami-2bb65342 &MaxCount=3 &MinCount=1 &Placement.AvailabilityZone=us-east-1a &Monitoring.Enabled=true &Version=2015-10-01 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIAIOSFODNN7EXAMPLEus-east-1%2Fec2%2Faws4_request &X-Amz-Date=20130813T150206Z &X-Amz-SignedHeaders=content-type%3host%3x-amz-date &X-Amz-Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0194b84example54174deb456c Content-type: application/json host:ec2.amazonaws.com
Query APIUsing GET, auth info in HTTP Header
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Amz-Date: 20130813T150211Z Host: ec2.amazonaws.com Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20130813/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0194b84example54174deb456c
http://ec2.amazonaws.com/?Action=RunInstances ImageId=ami-2bb65342 &MaxCount=3 &MinCount=1 &Monitoring.Enabled=true &Placement.AvailabilityZone=us-east-1a &Version=2015-10-01
Query APIUsing POST (parameters in body)
POST /queue1 HTTP/1.1 Host: sqs.us-east-2.amazonaws.com Content-Type: application/x-www-form-urlencoded
Action=SendMessage &MessageBody=Your+Message+Text &Version=2012-11-05 &Expires=2011-10-15T12%3A00%3A00Z &AUTHPARAMS
Authentication• Credential: symmetric key (AWS keeps secret key)
• access key: “AKIAIOSFODNN7EXAMPLE”
• secret key: “wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY”
• Every request must have a “signature”
• to prove that you have a secret key (authenticity)
• to prove that the request was not altered (integrity)
SigV4 Signing1. Generate a request (take hash)
2. Generate a string to sign
• hashed request + date + credential scope
3. Derive a signing key (v2 uses original key)
4. Sign the string using HMAC algorithm
5. Put credential + signature in Authorization header
SigV4 SigningStep 1&2: generate a string to sign
Add date & scope
Hash
SigV4 SigningStep 3&4: Derive key & signing
Derive
Sign
SigV4 SigningContent-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Amz-Date: 20130813T150211Z Host: ec2.amazonaws.com Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20130813/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0194b84example54174deb456c
http://ec2.amazonaws.com/?Action=RunInstances ImageId=ami-2bb65342 &MaxCount=3 &MinCount=1 &Monitoring.Enabled=true &Placement.AvailabilityZone=us-east-1a &Version=2015-10-01
SigV4 Signing• How AWS verifies the request?
• AWS (server side) has your secret key!
• Lookup secret key using the access key in the request
• Generate a signature following the same steps
• Compare signatures
Foundational Services• IAM
• Identity and Access Management
• User management, authorization, policies
• VPC
• Virtual Private Cloud
• Virtual networking
Identity&Access Mgmt
• By default, you are admin of your account
• Group / User/ Role
• Changbal / sangmin
• Role: give codes the access permission
Identity&Access Mgmt• Authorization Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*" } ] }
Virtual Private Cloud• Your own logical network
• Example VPC: 192.168.0.0/16
• Private subnets
• 192.168.0.0/24: Web server pool
• 192.168.1.0/24: DB server pool
• Public subnet
• Public / private IPs
• Route table, gateway, firewall, etc, all through API
Client Tools• Graphical interface
• AWS Console
• Third-party: http://ylastic.com/ ..
• Easy-to-use, but not very scalable
• Command line
• AWS CLI (yum install awscli)
• open source tools (euca2ools)
• works with orchestration, CI tools (chef, ansible, jenkins)
SDK• Originally OSS community-driven
• jcloud, python-boto, ruby gem
• Lately, AWS actively own them
• AWS SDK for JAVA, Ruby, .NET, JS, iOS, Android
• Open source
• Most popular: Python-boto, AWS SDK for JAVA
Demo time!
Startup idea?CatPics!
1: 3-tier Web App
App Logic (Django)
Presentation (Apache)
S3 bucket
2: LoadBalancer/ScaleGroup
App Logic (Django)
ELB
App Logic (Django)
App Logic (Django)
App Logic (Django)
App Logic (Django)
Autoscale
3: AutoScale with CloudWatch
Closed, feedback loop
4. Template for easy deploy
App Logic (Django)
ELB
App Logic (Django)
App Logic (Django)
App Logic (Django)
App Logic (Django)
Autoscale
CloudFormation Service
Speakers?
EC2 Container Service Lambda