This is an implementation of a TVM delivering temporary and restricted tokens to access various cloud services. Users authenticate to the TVM with their Adobe I/O Runtime (a.k.a OpenWhisk) credentials and are only authorized to access their own resources.
curl -H "Authorization: ${AUTH}" "https://adobeio.adobeioruntime.net/apis/tvm/azure/blob/${NAMESPACE}"
-
Endpoints:
- Get AWS S3 token:
https://adobeio.adobeioruntime.net/apis/tvm/aws/s3/${owNamespace}
- Get Azure Blob token:
https://adobeio.adobeioruntime.net/apis/tvm/azure/blob/${owNamespace}
- Get Azure Cosmos token:
https://adobeio.adobeioruntime.net/apis/tvm/azure/cosmos/${owNamespace}
- Get AWS S3 token:
-
For each of the above endpoints applies:
- HTTP method is GET
- OpenWhisk auth key must be passed in
Authorization
header - OpenWhisk namespace must be passed in the url path
-
Deprecated:
- Get AWS S3 token
https://adobeioruntime.net/api/v1/web/adobeio/tvm/get-s3-upload-token
is still accessible (POST and GET) with params{"owAuth": "<myauth>", "owNamespace": "<mynamespace>"}
- Get AWS S3 token
You want to share a cloud service that you own (e.g 1 S3 account) with a set of OpenWhisk namespaces and you want to make sure that each namespace has access only to the resources they own (e.g can only see their S3 blobs).
This might be useful for you if:
- You have multiple Adobe I/O Runtime namespaces and you need them to access a cloud service but you don't want to use the one exposed by Adobe's TVM
- You are an OpenWhisk provider and want to provide an easy access to an external cloud service (e.g. storage)
npm install
-
.env
:AIO_RUNTIME_APIVERSION=v1 AIO_RUNTIME_APIHOST=https://adobeioruntime.net AIO_RUNTIME_NAMESPACE=<deployment_ns> AIO_RUNTIME_AUTH=<deployment_auth_ns> EXPIRATION_DURATION=<token expiration in seconds> WHITELIST=<comma separated list of namespaces> AWS_ACCESS_KEY_ID=<key id of IAM user created in AWS> AWS_SECRET_ACCESS_KEY=<secret of IAM user created in AWS> S3_BUCKET=<MY_BUCKET> AZURE_STORAGE_ACCOUNT=<storage account name> AZURE_STORAGE_ACCESS_KEY=<storage access key> AZURE_COSMOS_ACCOUNT=<cosmosdb account name> AZURE_COSMOS_MASTER_KEY=<cosmosdb master key> AZURE_COSMOS_DATABASE_ID=<cosmosdb database name> AZURE_COSMOS_CONTAINER_ID=<cosmosdb database name> # for functional tests only TEST_NAMESPACE_1=<test ns 1> TEST_AUTH_1=<test auth 1> TEST_NAMESPACE_2=<test ns 2> TEST_AUTH_2=<test auth ns 2>
-
Use the
WHITELIST
variable to control which namespace can access the TVM and hence who can deploy files to your S3 Bucket.- [
⚠️ NOT RECOMMENDED⚠️ ] UseWHITELIST=*
to allow access to every OpenWhisk namespace in the same domain.
- [
- Create a storage account
- Retrieve the access key
- Fill
AZURE_STORAGE_*
variables in.env
- Create a cosmos account
- Click on
+ Add Container
:- specify a database name
- specify a container name
- specify a partitionKey: call it
/partitionKey
=> the name is important - create the container
- Configure the newly created container to have ttl set to on
- Retrieve the account master key and set
AZURE_COSMOS_MASTER_KEY
-
Create a Bucket in S3 for your app
-
Create an IAM user with the following IAM policy in AWS (replace
MY_BUCKET
with your app bucket name):{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowTokenDelivery", "Effect": "Allow", "Action": "sts:GetFederationToken", "Resource": "*" }, { "Sid": "AllowS3", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:DeleteObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::MY_BUCKET/*", "arn:aws:s3:::MY_BUCKET" ] } ] }
-
Configure the
.env
file, see config
npm run deploy
will deploy all TVM endpoints to the OpenWhisk namespace configured in.env
npm run undeploy
npm run release
will run tests, bump up the version and deploy all TVM endpoints to the OpenWhisk namespace configured in.env
.- note: this command will run functional tests and will need you to have additional OpenWhisk test namespaces setup up in your
.env
(see config)
Contributions are welcomed! Read the Contributing Guide for more information.
This project is licensed under the Apache V2 License. See LICENSE for more information.