?一、背景

在不給AK,SK的前提下，用戶查看s3上文件（從s3下載文件）

二、創(chuàng)建API

1、打開API Gateway，點擊創(chuàng)建API，選擇REST API

REST API和HTTP API區(qū)別：（來自AWS官網(wǎng)）

REST API 和 HTTP API 都是 RESTful API 產(chǎn)品。REST API 支持的功能比 HTTP API 多，而 HTTP API 在設計時功能就極少，因此能夠以更低的價格提供。如果您需要如 API 密鑰、每客戶端節(jié)流、請求驗證、AWS WAF 集成或私有 API 端點等功能，請選擇 REST API。如果您不需要 REST API 中包含的功能，請選擇 HTTP API。

2、 設置API名稱，選擇終端節(jié)點類型

終端節(jié)點類型：（來自AWS官網(wǎng)）

????????區(qū)域性（REGIONAL）：適用于同一區(qū)域中的客戶端。當在 EC2 實例上運行的客戶端調(diào)用同一區(qū)域中的 API，或 API 用于為具有高需求的少數(shù)客戶端提供服務時，區(qū)域 API 可以降低連接開銷。

????????還有邊緣優(yōu)化（EDGE）：最適合地理位置分散的客戶端。API 請求將路由到最近的 CloudFront 接入點 (POP)。這是 API Gateway REST API 的默認終端節(jié)點類型。

????????私有（PRIVATE）：是一個只能使用接口 VPC 終端節(jié)點從 Amazon Virtual Private Cloud (VPC) 訪問的 API 終端節(jié)點，該接口是您在 VPC 中創(chuàng)建的終端節(jié)點網(wǎng)絡接口 (ENI)

?三、配置API

1、進入剛創(chuàng)建好的API，點擊資源頁，創(chuàng)建資源及方法

1.1創(chuàng)建資源，?/ 代表根目錄，右擊選擇創(chuàng)建資源

?1.2創(chuàng)建方法，上傳文件到s3，所以選擇GET方法

1.3點擊剛創(chuàng)建的方法，進入集成請求

?1.3配置：

集成類型：AWS 服務

AWS區(qū)域：（選擇相應的區(qū)域）

AWS服務：S3

AWS子域：（不用填）

HTTP方法：GET

操作類型：路徑覆蓋

路徑覆蓋（可選）：{bucket}/{object}

執(zhí)行角色：（填寫有執(zhí)行API角色的ARN）

?路徑覆蓋也可以把路徑某部分hard code

?在下方URL路徑參數(shù)中填寫路徑參數(shù)映射關(guān)系

2、配置設置

翻到最下面，修改二進制媒體類型為 ??*/*

Content-Encoding可以根據(jù)需要修改

默認上傳文件大小不超過10M

三、添加授權(quán)方

?1、新建Lambda函數(shù)，來驗證授權(quán)方，運行時選擇 Node.js 16.x

代碼如下：當header中account和password匹配上，則allow，否則deny

exports.handler = function(event, context, callback) {        
    console.log('Received event:', JSON.stringify(event, null, 2));

    // A simple request-based authorizer example to demonstrate how to use request 
    // parameters to allow or deny a request. In this example, a request is  
    // authorized if the client-supplied headerauth1 header, QueryString1
    // query parameter, and stage variable of StageVar1 all match
    // specified values of 'headerValue1', 'queryValue1', and 'stageValue1',
    // respectively.

    // Retrieve request parameters from the Lambda function input:
    var headers = event.headers;
    var queryStringParameters = event.queryStringParameters;
    var pathParameters = event.pathParameters;
    var stageVariables = event.stageVariables;
        
    // Parse the input for the parameter values
    var tmp = event.methodArn.split(':');
    var apiGatewayArnTmp = tmp[5].split('/');
    var awsAccountId = tmp[4];
    var region = tmp[3];
    var restApiId = apiGatewayArnTmp[0];
    var stage = apiGatewayArnTmp[1];
    var method = apiGatewayArnTmp[2];
    var resource = '/'; // root resource
    if (apiGatewayArnTmp[3]) {
        resource += apiGatewayArnTmp[3];
    }
        
    // Perform authorization to return the Allow policy for correct parameters and 
    // the 'Unauthorized' error, otherwise.
    var authResponse = {};
    var condition = {};
    condition.IpAddress = {};
     
    if (headers.account === ""
        && headers.password === "") {
        callback(null, generateAllow('me', event.methodArn));
    }else {
        callback("Unauthorized");
    }
}
     
// Help function to generate an IAM policy
var generatePolicy = function(principalId, effect, resource) {
    // Required output:
    var authResponse = {};
    authResponse.principalId = principalId;
    if (effect && resource) {
        var policyDocument = {};
        policyDocument.Version = '2012-10-17'; // default version
        policyDocument.Statement = [];
        var statementOne = {};
        statementOne.Action = 'execute-api:Invoke'; // default action
        statementOne.Effect = effect;
        statementOne.Resource = resource;
        policyDocument.Statement[0] = statementOne;
        authResponse.policyDocument = policyDocument;
    }
    // Optional output with custom properties of the String, Number or Boolean type.
    authResponse.context = {
        "account": '',
        "password": '',
        "booleanKey": true
    };
    return authResponse;
}
     
var generateAllow = function(principalId, resource) {
    return generatePolicy(principalId, 'Allow', resource);
}
     
var generateDeny = function(principalId, resource) {
    return generatePolicy(principalId, 'Deny', resource);
}

2、創(chuàng)建授權(quán)方

授權(quán)方名稱

類型：選擇Lambda

Lambda函數(shù)：填寫剛創(chuàng)建好的Lambda函數(shù)名稱

Lambda調(diào)用角色：填寫調(diào)用Lambda函數(shù)的角色

Lambda事件負載：選擇請求

身份來源：選擇標頭，添加account和password

授權(quán)緩存：取消啟用

?三、配置授權(quán)方

選擇 添加授權(quán)方的路徑資源方法中的方法請求

?

授權(quán)選擇配置好的授權(quán)方名稱

請求驗證程序:無

需要API密鑰:否

HTTP請求標頭:將account和password配置進來

四、部署API

?API配置完成后，右擊根目錄，部署API，?選擇部署階段，點擊部署

注意：每次對API進行更改后要重新部署一下

五、測試API?

?測試通過兩種方式：①Postman????????②python代碼

獲取URL鏈接

1、Postman

進入Postman，添加PUT請求，復制URL鏈接，在其后添加要下載文件的S3的路徑，點擊send，即可在下方看到請求結(jié)果

?

2、python代碼

import json
import requests

def call_get_api(_url,_headers):
    res = requests.get(url=_url, headers=_headers)
    return res

def download_s3(bucket,key,local_file):
    # api gateway call url
    url_ip = ""
    # generate the url
    url = url_ip + bucket + key

    # headers
    headers = {"account": "", "password": ""}

    # call the api2s3 method
    res = call_get_api(url, headers)
    res.encoding = 'utf-8'
    data = res.text
    if res.status_code == 200:
        print(res.status_code)
        print(data)
        with open(local_file, 'wb') as f:
            # str通過encode()方法可以轉(zhuǎn)換為bytes
            f.write(data.encode())
    else:
        print(res)

if __name__ == '__main__':
    # s3 file
    bucket = ''
    key = ''

    # local file name
    local_file = ''
    download_s3(bucket, key, local_file)

六、通過CloudFormation新建API

yaml文件代碼如下文章來源地址http://www.zghlxwxcb.cn/news/detail-512110.html

AWSTemplateFormatVersion: '2010-09-09'
Description : Template to provision ETL Workflow for api gateway 
Parameters:
  Region:
    Description: 'Specify the Region for resource.'
    Type: String
    Default: ase1
  Iteration:
    Type: String
    Description: 'Specify the Iteration for Lambda.'
    Default: '001'
  S3Iteration:
    Type: String
    Description: 'Specify the Iteration for S3'
    Default: '001'
  IAMIteration:
    Type: String
    Description: 'Specify the Iteration for IAM roles.'
    Default: '001'

Resources: 
  ApigatewayRestAPI:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: api-downloads3-${Iteration}
      BinaryMediaTypes:
        - "*/*"
      Description: create api to download file from s3
      Mode: overwrite
      EndpointConfiguration:
        Types:
          - REGIONAL
 
  ApigatewayAuthorizer:
    Type: AWS::ApiGateway::Authorizer
    Properties:
      AuthorizerCredentials: "arn:aws:iam::${AWS::AccountId}:role/iamr-replication-${IAMIteration}"
      AuthorizerResultTtlInSeconds : 0
      AuthorizerUri: "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:lamb-apigw-authorizer-${S3Iteration}/invocations"
      Type : REQUEST
      AuthType: custom
      RestApiId: 
        !Ref  ApigatewayRestAPI
      Name: auth-request
      IdentitySource : method.request.header.account,method.request.header.password

  ApigatewayResourceFolder:
    Type: AWS::ApiGateway::Resource
    Properties:
      RestApiId: 
        !Ref ApigatewayRestAPI
      PathPart: "{folder}"
      ParentId: !GetAtt 
        - ApigatewayRestAPI
        - RootResourceId

  ApigatewayMethodFolder:
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizerId:
        !Ref ApigatewayAuthorizer
      AuthorizationType: custom
      RequestParameters: {
        "method.request.path.folder": true,
        "method.request.header.account": true,
        "method.request.header.password": true
      }
      HttpMethod: GET
      MethodResponses:
        - StatusCode: 200
          ResponseModels: 
            application/json: Empty
      RestApiId:
        !Ref ApigatewayRestAPI
      ResourceId: !GetAtt 
        - ApigatewayResourceFolder
        - ResourceId 
      Integration:
        Type: AWS
        Credentials: "arn:aws:iam::${AWS::AccountId}:role/iamr-replication-${IAMIteration}"
        IntegrationHttpMethod: GET
        IntegrationResponses:
          - StatusCode: 200
        PassthroughBehavior: when_no_match
        Uri: "arn:aws:apigateway:${AWS::Region}:s3:path/{folder}"
        RequestParameters: {
            "integration.request.path.folder" : "method.request.path.folder"
          }

  ApigatewayResourceTablename:
    Type: AWS::ApiGateway::Resource
    Properties:
      RestApiId: 
        !Ref ApigatewayRestAPI
      PathPart: "{tablename}"
      ParentId:
        !Ref ApigatewayResourceFolder

  ApigatewayMethodTablename:
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizerId:
        !Ref ApigatewayAuthorizer
      AuthorizationType: custom
      RequestParameters: {
        "method.request.path.folder": true,
        "method.request.path.tablename": true,
        "method.request.header.account": true,
        "method.request.header.password": true
      }
      HttpMethod: GET
      MethodResponses:
        - StatusCode: 200
          ResponseModels: 
            application/json: Empty
      RestApiId:
        !Ref ApigatewayRestAPI
      ResourceId: !GetAtt 
        - ApigatewayResourceTablename
        - ResourceId 
      Integration:
        Type: AWS
        Credentials: "arn:aws:iam::${AWS::AccountId}:role/iamr-replication-${IAMIteration}"
        IntegrationHttpMethod: GET
        IntegrationResponses:
          - StatusCode: 200
        PassthroughBehavior: when_no_match
        Uri: "arn:aws:apigateway:${AWS::Region}:s3:path/{folder}/{tablename}"
        RequestParameters: {
            "integration.request.path.folder" : "method.request.path.folder",
            "integration.request.path.tablename" : "method.request.path.tablename"
          }


  ApigatewayResourcePartition:
    Type: AWS::ApiGateway::Resource
    Properties:
      RestApiId:
        !Ref ApigatewayRestAPI
      PathPart: "{partition}"
      ParentId:
        !Ref ApigatewayResourceTablename

  ApigatewayMethodPartition:
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizerId:
        !Ref ApigatewayAuthorizer
      AuthorizationType: custom
      RequestParameters: {
        "method.request.path.folder": true,
        "method.request.path.tablename": true,
        "method.request.path.partition": true,
        "method.request.header.account": true,
        "method.request.header.password": true
      }
      HttpMethod: GET
      MethodResponses:
        - StatusCode: 200
          ResponseModels: 
            application/json: Empty
      RestApiId:
        !Ref ApigatewayRestAPI
      ResourceId: !GetAtt 
        - ApigatewayResourcePartition
        - ResourceId 
      Integration:
        Type: AWS
        Credentials: "arn:aws:iam::${AWS::AccountId}:role/iamr-replication-${IAMIteration}"
        IntegrationHttpMethod: GET
        IntegrationResponses:
          - StatusCode: 200
        PassthroughBehavior: when_no_match
        Uri: "arn:aws:apigateway:${AWS::Region}:s3:path/{folder}/{tablename}/{partition}"
        RequestParameters: {
            "integration.request.path.partition" : "method.request.path.partition",
            "integration.request.path.folder" : "method.request.path.folder",
            "integration.request.path.tablename" : "method.request.path.tablename"
          }


  ApigatewayResourceFilename:
    Type: AWS::ApiGateway::Resource
    Properties:
      RestApiId: 
        !Ref ApigatewayRestAPI
      PathPart: "{filename}"
      ParentId:
        !Ref ApigatewayResourcePartition

  ApigatewayMethodFilename:
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizerId:
        !Ref ApigatewayAuthorizer
      AuthorizationType: custom
      RequestParameters: {
        "method.request.path.folder": true,
        "method.request.path.tablename": true,
        "method.request.path.partition": true,
        "method.request.path.filename": true,
        "method.request.header.account": true,
        "method.request.header.password": true
      }
      HttpMethod: GET
      MethodResponses:
        - StatusCode: 200
          ResponseModels: 
            application/json: Empty
      RestApiId:
        !Ref ApigatewayRestAPI
      ResourceId: !GetAtt 
        - ApigatewayResourceFilename
        - ResourceId 
      Integration:
        Type: AWS
        Credentials: "arn:aws:iam::${AWS::AccountId}:role/iamr-replication-${IAMIteration}"
        IntegrationHttpMethod: GET
        IntegrationResponses:
          - StatusCode: 200
        PassthroughBehavior: when_no_match
        Uri: "arn:aws:apigateway:${AWS::Region}:s3:path/{folder}/{tablename}/{partition}/{filename}"
        RequestParameters: {
            "integration.request.path.partition" : "method.request.path.partition",
            "integration.request.path.filename" : "method.request.path.filename",
            "integration.request.path.folder" : "method.request.path.folder",
            "integration.request.path.tablename" : "method.request.path.tablename"
          }
          
  ApigatewayDeploymentv1:
    DependsOn: ApigatewayMethodFilename
    Type: AWS::ApiGateway::Deployment
    Properties: 
      RestApiId:
        !Ref ApigatewayRestAPI
      StageName : v1

  PermissionToInvokeLambda: 
    Type: AWS::Lambda::Permission
    Properties: 
      FunctionName: lamb-apigw-authorizer-${Iteration}
      Action: "lambda:InvokeFunction"
      Principal: "apigateway.amazonaws.com"
      SourceArn: !Sub
        - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${APiId}/authorizers/${AuthorizerId}"
        - APiId: 
            !Ref ApigatewayRestAPI
          AuthorizerId: 
            !Ref ApigatewayAuthorizer

Outputs:
  RootResourceId:
    Value: !GetAtt ApigatewayRestAPI.RootResourceId
  AuthorizerId:
    Value: !GetAtt ApigatewayAuthorizer.AuthorizerId

到了這里，關(guān)于【AWS】API Gateway創(chuàng)建Rest API--從S3下載文件的文章就介紹完了。如果您還想了解更多內(nèi)容，請在右上角搜索TOY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！