CODEWITHSUNDEEP
node.jsamazon-web-servicesaws-lambda
Dave Shuck
Dave Shuck

Reputation: 563

How to pass a client certificate/key from Node.JS AWS Lambda to a secure private REST API?

I am very new to AWS services, but have been tasked with making a request to a REST API that is secured with 2-way SSL certificates, passing a cert (.CRT) file and Key (.KEY) file to the endpoint as part of the call. I have successfully called the service using curl and passing these, but am stumped on how to apply the same logic to a Lambda. I have a Lambda working in which I am calling a public API, triggering it through an AWS API Gateway, and I would like to modify it to make the secure call.

Has anyone done this? Where should the CRT/KEY files be stored? How would they brought in and be called and added to the rest call? Does anyone have an example they could share?

And advice on these points would be very welcome. Thank you in advance.

Upvotes: 0

Views: 1777

Answers (1)

hvaughan3
hvaughan3

Reputation: 11105

I went with AWS Secrets Manager to store my certificate public and private key as text. I converted my certificate to a PEM file and opened it in a text file to get the contents, then copied the private key text and pasted them both together in a single file (see bottom of answer for format).

You can get the cert value out of Secrets Manager and then passing the certificate as part of API call depends on the REST library you are using. For axios, you can attach your certificate text onto httpsAgent like so:

const axiosConfig = {
  url,
  method,
  params,
  data,
  headers,
  httpsAgent = new https.Agent({
    cert: 'Cert Text',
    certType: 'perm',
    key: 'Cert Key',
    passphrase: 'Cert Password'
  })
}

const instance = axios.create()

const response = await instance(axiosConfig)

In my case, I included the public and private key in my certificate text, including the full chain, and pass the same value into both cert and key above. That is probably not the right way, but it worked for me. My cert text looks like this:

-----BEGIN ENCRYPTED PRIVATE KEY-----
abcdefghijk12345
...
-----END ENCRYPTED PRIVATE KEY-----
subject=CN=***, OU=***, O=***, C=**
issuer=****, OU=***, O=***, C=**
-----BEGIN CERTIFICATE-----
abcdefghijk12345
...
-----END CERTIFICATE-----
subject=CN=***, OU=***, O=***, C=**
issuer=****, OU=***, O=***, C=**
-----BEGIN CERTIFICATE-----
abcdefghijk12345
...
-----END CERTIFICATE-----

Upvotes: 1

Related Questions