AWS Basics

Sang-Min Park

API and clients• Well designed API made AWS successful

• Do you remember 2006?

• Community gathers around API

• Support a lot of PLs and Dev environment

• JAVA, PYTHON, RUBY, .NET, JS, etc…

Short history of API changes

• 2006: HTTP REST / SOAP for S3/EC2/SQS

• 2012: SigV4 Introduced

• 2014: SOAP deprecated

• ? : Deprecating SigV2

Current API: Query

w/ SigV4

HTTP REST• Use HTTP VERB

• GET / PUT / POST / DELETE

• Don’t necessarily map CRUD

• Query String

• http://delicious.com/post?url=http://domain.tld/&title=The title of a post

• HTTP Header

• HTTP Body

AWS Query API• Use HTTP GET/POST

• Use HTTP Header, Query String, Body (POST)

• A request includes:

• Service Endpoint (ec2.amazonaws.com)

• API Action (RunInstances, CreateBucket, … )

• Action’s parameters (# of instances, Bucket name, …)

• Authentication Parameters

• A response includes:

• Code 200: action’s return data in XML (JSON for newer service, RAW data for S3)

• Code 40X: AuthFailure, InvalidAction, InvalidParameter, …

Query APIUsing GET, auth info in Query Param

https://ec2.amazonaws.com/?Action=RunInstances &ImageId=ami-2bb65342 &MaxCount=3 &MinCount=1 &Placement.AvailabilityZone=us-east-1a &Monitoring.Enabled=true &Version=2015-10-01 &X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=AKIAIOSFODNN7EXAMPLEus-east-1%2Fec2%2Faws4_request &X-Amz-Date=20130813T150206Z &X-Amz-SignedHeaders=content-type%3host%3x-amz-date &X-Amz-Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0194b84example54174deb456c Content-type: application/json host:ec2.amazonaws.com

Query APIUsing GET, auth info in HTTP Header

Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Amz-Date: 20130813T150211Z Host: ec2.amazonaws.com Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20130813/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0194b84example54174deb456c

http://ec2.amazonaws.com/?Action=RunInstances ImageId=ami-2bb65342 &MaxCount=3 &MinCount=1 &Monitoring.Enabled=true &Placement.AvailabilityZone=us-east-1a &Version=2015-10-01

Query APIUsing POST (parameters in body)

POST /queue1 HTTP/1.1 Host: sqs.us-east-2.amazonaws.com Content-Type: application/x-www-form-urlencoded

Action=SendMessage &MessageBody=Your+Message+Text &Version=2012-11-05 &Expires=2011-10-15T12%3A00%3A00Z &AUTHPARAMS

Authentication• Credential: symmetric key (AWS keeps secret key)

• access key: “AKIAIOSFODNN7EXAMPLE”

• secret key: “wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY”

• Every request must have a “signature”

• to prove that you have a secret key (authenticity)

• to prove that the request was not altered (integrity)

SigV4 Signing1. Generate a request (take hash)

2. Generate a string to sign

• hashed request + date + credential scope

3. Derive a signing key (v2 uses original key)

4. Sign the string using HMAC algorithm

5. Put credential + signature in Authorization header

SigV4 SigningStep 1&2: generate a string to sign

Add date & scope

Hash

SigV4 SigningStep 3&4: Derive key & signing

Derive

Sign

SigV4 SigningContent-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Amz-Date: 20130813T150211Z Host: ec2.amazonaws.com Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20130813/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0194b84example54174deb456c

http://ec2.amazonaws.com/?Action=RunInstances ImageId=ami-2bb65342 &MaxCount=3 &MinCount=1 &Monitoring.Enabled=true &Placement.AvailabilityZone=us-east-1a &Version=2015-10-01

SigV4 Signing• How AWS verifies the request?

• AWS (server side) has your secret key!

• Lookup secret key using the access key in the request

• Generate a signature following the same steps

• Compare signatures

Foundational Services• IAM

• Identity and Access Management

• User management, authorization, policies

• VPC

• Virtual Private Cloud

• Virtual networking

Identity&Access Mgmt

• By default, you are admin of your account

• Group / User/ Role

• Changbal / sangmin

• Role: give codes the access permission

Identity&Access Mgmt• Authorization Policy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*" } ] }

Virtual Private Cloud• Your own logical network

• Example VPC: 192.168.0.0/16

• Private subnets

• 192.168.0.0/24: Web server pool

• 192.168.1.0/24: DB server pool

• Public subnet

• Public / private IPs

• Route table, gateway, firewall, etc, all through API

Client Tools• Graphical interface

• AWS Console

• Third-party: http://ylastic.com/ ..

• Easy-to-use, but not very scalable

• Command line

• AWS CLI (yum install awscli)

• open source tools (euca2ools)

• works with orchestration, CI tools (chef, ansible, jenkins)

SDK• Originally OSS community-driven

• jcloud, python-boto, ruby gem

• Lately, AWS actively own them

• AWS SDK for JAVA, Ruby, .NET, JS, iOS, Android

• Open source

• Most popular: Python-boto, AWS SDK for JAVA

Demo time!

Startup idea?CatPics!

1: 3-tier Web App

App Logic (Django)

Presentation (Apache)

S3 bucket

2: LoadBalancer/ScaleGroup

App Logic (Django)

ELB

App Logic (Django)

App Logic (Django)

App Logic (Django)

App Logic (Django)

Autoscale

3: AutoScale with CloudWatch

Closed, feedback loop

4. Template for easy deploy

App Logic (Django)

ELB

App Logic (Django)

App Logic (Django)

App Logic (Django)

App Logic (Django)

Autoscale

CloudFormation Service

Speakers?

EC2 Container Service Lambda