DEV Community: Lukas Fruntke The latest articles on DEV Community by Lukas Fruntke (@lukvonstrom). https://dev.to/lukvonstrom https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4196%2Fcf345f56-4c00-460d-92c7-c0bdcf6ae6f5.jpg DEV Community: Lukas Fruntke https://dev.to/lukvonstrom en Best practices for using AWS StepFunctions Lukas Fruntke Sat, 22 Jan 2022 23:30:21 +0000 https://dev.to/lukvonstrom/best-practices-for-using-aws-stepfunctions-2io https://dev.to/lukvonstrom/best-practices-for-using-aws-stepfunctions-2io <p>In this post you will learn some of the best patterns/tricks I have learned during my time creating Step Functions workflows, while working with clients at Accenture.</p> <h2> Table of contents (clickable) </h2> <ul> <li>Make use of the Step Functions Workflow Studio</li> <li>Utilize the service integrations</li> <li>Use <code>.waitForTaskToken</code> </li> <li>Make use of the inbuilt retries</li> <li>Utilize Heartbeats to fail fast</li> <li>Define a Catch Handler</li> <li>Further reading</li> </ul> <h2> Make use of the Step Functions Workflow Studio </h2> <p>Since it has been <a href="https://aws.amazon.com/de/blogs/aws/new-aws-step-functions-workflow-studio-a-low-code-visual-tool-for-building-state-machines/" rel="noopener noreferrer">introduced in June</a> Step Functions Workflow Studio proved its value to me several times. As its a low-code editor with the most common configurations already baked-in, the effort of writing/designing a workflow with <a href="https://states-language.net/" rel="noopener noreferrer">Amazon States Language</a> plummeted. Those minutes and hours handwriting workflows with 100 lines++ are finally over for good, which is something you must not ignore when dealing with Step Functions. </p> <p>As visualized below, the option to create a workflow from scratch in Workflow Studio directly is already present:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Flukvonstrom.github.io%2Fimages%2Fstepfunc-article%2Fchoose-authoring-method.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Flukvonstrom.github.io%2Fimages%2Fstepfunc-article%2Fchoose-authoring-method.jpg" alt="Step Functions creation"></a></p> <p>As is the option to edit pre-existing workflows directly in Step Functions:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Flukvonstrom.github.io%2Fimages%2Fstepfunc-article%2Fedit-workflow.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Flukvonstrom.github.io%2Fimages%2Fstepfunc-article%2Fedit-workflow.jpg" alt="Step Functions edit"></a></p> <h2> Utilize the service integrations </h2> <p>While AWS offers some 17 "optimized" service integrations (for the definitive list see <a href="https://docs.aws.amazon.com/step-functions/latest/dg/connect-supported-services.html" rel="noopener noreferrer">here</a>), that include different custom options of integrating with the specific services, AWS has released an option to call the APIs of nearly all AWS services directly, as described in <a href="https://aws.amazon.com/blogs/aws/now-aws-step-functions-supports-200-aws-services-to-enable-easier-workflow-automation/" rel="noopener noreferrer">this article</a>. This allows you to scrap some of the utility lambdas one uses to add much-needed functionality-augmentation to a service and go with Step Function instead.</p> <h2> Use <code>.waitForTaskToken</code> </h2> <p>By using <code>.waitForTaskToken</code>, you are able to transparently pause the workflow, until a task like a lambda function has finished executing. </p> <p>Be aware, that you need to specify the Task Token in the payload for the lambda, as Step Function does not inject it automatically for you.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Flukvonstrom.github.io%2Fimages%2Fstepfunc-article%2Fenable-waitForTaskToken.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Flukvonstrom.github.io%2Fimages%2Fstepfunc-article%2Fenable-waitForTaskToken.jpg" alt="Screenshot of waitForTaskToken"></a></p> <h3> Example </h3> <p> code example <br> This example shows how to send the task token for success/failure back to Step Functions via AWS JS SDK v3.<br> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">SFNClient</span><span class="p">,</span> <span class="nx">SendTaskFailureCommand</span><span class="p">,</span> <span class="nx">SendTaskSuccessCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-sfn</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SFNClient</span><span class="p">();</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">success</span><span class="p">(</span><span class="nx">taskToken</span><span class="p">,</span> <span class="nx">input</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stepFunctionsCommand</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SendTaskSuccessCommand</span><span class="p">({</span> <span class="nx">taskToken</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="nx">input</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">stepFunctionsCommand</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">failure</span><span class="p">(</span><span class="nx">taskToken</span><span class="p">,</span> <span class="nx">cause</span><span class="p">,</span> <span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stepFunctionsCommand</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SendTaskFailureCommand</span><span class="p">({</span> <span class="nx">taskToken</span><span class="p">,</span> <span class="nx">cause</span><span class="p">,</span> <span class="nx">error</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">stepFunctionsCommand</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">main</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">success</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">MyTaskToken</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">requestId</span><span class="p">,</span> <span class="nx">cfId</span><span class="p">,</span> <span class="nx">extendedRequestId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">error</span><span class="p">.</span><span class="nx">$metadata</span><span class="p">;</span> <span class="k">await</span> <span class="nf">failure</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">MyTaskToken</span><span class="p">,</span> <span class="p">{</span> <span class="nx">requestId</span><span class="p">,</span> <span class="nx">cfId</span><span class="p">,</span> <span class="nx">extendedRequestId</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> </p> <h2> Utilize Heartbeats to fail fast </h2> <p>As StepFunctions can run for up to a year (at least Standard workflows) it is imperative to avoid stuck executions. One way of doing this when integrating with Lambda is the Heartbeat API and specification. This allows developers to specify a max-interval, in which the Heartbeat has to be send back to Step Functions. Failure to meet this deadline leads to termination of the task.</p> <h3> Example </h3> <p> code example <br> In the following example a task is specified with a max-heartbeat duration of 10 minutes.<br> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:states:::lambda:invoke"</span><span class="p">,</span><span class="w"> </span><span class="nl">"HeartbeatSeconds"</span><span class="p">:</span><span class="w"> </span><span class="mi">600</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This code-example shows how to send back a heartbeat with AWS JS SDK v3.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">SFNClient</span><span class="p">,</span> <span class="nx">SendTaskHeartbeatCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-sfn</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SFNClient</span><span class="p">();</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">heartbeat</span><span class="p">(</span><span class="nx">taskToken</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stepFunctionsCommand</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SendTaskHeartbeatCommand</span><span class="p">({</span> <span class="nx">taskToken</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">stepFunctionsCommand</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">main</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">heartbeat</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">MyTaskToken</span><span class="p">)</span> <span class="c1">// some expensive calculation</span> <span class="k">await</span> <span class="nf">heartbeat</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">MyTaskToken</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <br> </p> <h2> Define a Catch Handler </h2> <h3> Rationale </h3> <p>To quote Werner Vogels, Amazon CTO:</p> <blockquote> <p>everything fails, all the time</p> </blockquote> <p>Be prepared for the wildly different and sometimes unexpected errors the AWS APIs can throw, by catching them like you would in a lambda function (if you don't do that we are having a whoole different conversation).</p> <h3> Example </h3> <p>In this pretty simple example, the catch block is used on a lambda task. It works on the other tasks as well. This example uses a catch-all error code, for other error codes see <a href="https://states-language.net/spec.html#appendix-a" rel="noopener noreferrer">here</a>.</p> <p>As it is usually a good idea to get notified when an error occurs, this example publishes to a SNS topic, which may have an email subscription. I'd reccomend to use this only for <em>really critical</em> errors, as you may otherwise miss important errors in your then-cluttered inbox.</p> <p> code example <br><br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Flukvonstrom.github.io%2Fimages%2Fstepfunc-article%2Fsample-retrier.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Flukvonstrom.github.io%2Fimages%2Fstepfunc-article%2Fsample-retrier.png" alt="Catch flow"></a><br> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Invoke Lambda Task"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="p">[</span><span class="err">..</span><span class="p">]</span><span class="w"> </span><span class="nl">"Catch"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ErrorEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"States.ALL"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Next"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SNS Publish"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="p">[</span><span class="err">..</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"SNS Publish"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:states:::sns:publish"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Message.$"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Next"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Fail"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Fail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Fail"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> </p> <h2> Make use of the inbuilt retries </h2> <p>Instead of catching errors and terminating the flow then, one might as well use retries to try recovery from an error or to await a desired state. One may use this for example to await results from APIs similar to those of a Glue Crawler, which need repeated polling and potentially exponential backoff.</p> <h3> Example </h3> <p> code example <p>In this example a retry from specific Lambda exceptions is shown. The <code>IntervalSeconds</code> parameter defines an initial offset, which has to pass before the first retry is attempted. The <code>BackoffRate</code> parameter specifies the duration-multiplier which is applied after each unsuccessful attempt. Step Functions will retry after 2,4,8,16,32,64 seconds, limited by the <code>MaxAttempts</code> parameter of 6.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Invoke Lambda Task"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="p">[</span><span class="err">..</span><span class="p">]</span><span class="w"> </span><span class="nl">"Retry"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ErrorEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"Lambda.ServiceException"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Lambda.AWSLambdaException"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Lambda.SdkClientException"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"IntervalSeconds"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"MaxAttempts"</span><span class="p">:</span><span class="w"> </span><span class="mi">6</span><span class="p">,</span><span class="w"> </span><span class="nl">"BackoffRate"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="p">[</span><span class="err">..</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <br> </p> <h2> Further reading </h2> <p>A nice paper by López et al. from 2018 compares the various orchestration platforms of the different hyperscalers: <br> DOI - <a href="https://dx.doi.org/10.1109/UCC-Companion.2018.00049" rel="noopener noreferrer">10.1109/UCC-Companion.2018.00049</a><br> ArXiv - <a href="https://arxiv.org/abs/1807.11248" rel="noopener noreferrer">arXiv:1807.11248</a><br> Be aware though, that the services developed over the course of the three years since than, so it's an excercise to the reader to recognize, how far Step Functions has come since then.</p> <p>Header image by <a href="https://www.pexels.com/de-de/@gabrielsantosfotografia?utm_content=attributionCopyText&amp;utm_medium=referral&amp;utm_source=pexels" rel="noopener noreferrer">Gabriel Santos Fotografia</a> via <a href="https://www.pexels.com/de-de/foto/mann-der-auf-der-buhne-auftritt-2102568/?utm_content=attributionCopyText&amp;utm_medium=referral&amp;utm_source=pexels" rel="noopener noreferrer">Pexels</a></p> aws serverless bestpractices Creating an AWS Private Certificate Root Authority with Lambda and Node.js Lukas Fruntke Fri, 29 Nov 2019 09:11:31 +0000 https://dev.to/lukvonstrom/creating-an-aws-private-certificate-root-authority-with-lambda-and-node-js-4lee https://dev.to/lukvonstrom/creating-an-aws-private-certificate-root-authority-with-lambda-and-node-js-4lee <p>According to the <a href="https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf" rel="noopener noreferrer">Security Perspective</a> of the AWS Cloud Adoption Framework, Data has to be safeguarded during its transit. <br> While it is a common practice to terminate the HTTPS traffic at the Application Load Balancer and forward it to the Application via HTTP, this does not ensure a continuous encryption of possible sensitive data.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Few2hx584phn79lrcxza1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Few2hx584phn79lrcxza1.png" alt="The very common architecture pattern of terminating a SSL Connection"></a><br> When implementing End-to-End encryption in order to protect the data in transit between the Application Load Balancer and the Application, two alternatives need to be considered: </p> <ol> <li>Passing the HTTPS traffic to the Application, where the private key is available too. This has the downside, that the AWS Certificate Manager does not allow the export of private keys, therefore another solution would be needed to store the private key. </li> <li>Using the AWS Certificate Authority as a Root Authority to sign own certificates for the communication between Application Load Balancer and the Application. Although there is quite a pricetag attached to this solution - 400$ per month per running Certificate Authority and 0,75$ per certificate for the fist thousand certificates - it is AWS native and does not need any creative way of storing the private certificate.</li> </ol> <p>In this blog post the second alternative was chosen - using the Private Certificate Authority to generate the certificates for the communication between ALB and the Application.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F7shqtlq2efm5lmpeji8f.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F7shqtlq2efm5lmpeji8f.png" alt="Adding AWS Certificate Manager - Private Certificate Authority to the picture"></a></p> <p>To automate the process of creating the Private Certificate Authority and issuing a certificate, a Lambda function written in JavaScript is utilized here. In the process, a mixture of AWS PCA API calls and OpenSSL calls are used. As AWS Lambda removed the OpenSSL binaries from recent Node.JS Lambda Runtimes, Node.JS 8.10 has to be used, which will reach its End of Life at the 31st December 2019. Therefore, the OpenSSL binary will need to be added as a Lambda Layer if the function is used in 2020. This is pretty straightforward, one just needs to spin up an EC2 instance and zip the executable with the correct permissions and in the folder <code>bin</code>, upload it as a Layer and reconfigure the function to use it.</p> <p>Creating a PCA with the aws-sdk is pretty straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pca</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">ACMPCA</span><span class="p">();</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">createCA</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">caParams</span> <span class="o">=</span> <span class="p">{</span> <span class="na">CertificateAuthorityConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">KeyAlgorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RSA_2048</span><span class="dl">"</span><span class="p">,</span> <span class="na">SigningAlgorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHA256WITHRSA</span><span class="dl">"</span><span class="p">,</span> <span class="na">Subject</span><span class="p">:</span> <span class="p">{</span> <span class="na">Country</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DE</span><span class="dl">'</span><span class="p">,</span> <span class="na">Organization</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SPIRIT21</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">},</span> <span class="na">CertificateAuthorityType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ROOT</span><span class="dl">"</span><span class="p">,</span> <span class="na">RevocationConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">CrlConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">Enabled</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">CertificateAuthorityArn</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">createCertificateAuthority</span><span class="p">(</span><span class="nx">caParams</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>It takes some time, until the creation is done, so the <code>waitFor()</code> method of the SDK has to be used, in order to await the completion of the PCA's creation like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pca</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">ACMPCA</span><span class="p">();</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">wait</span><span class="p">(</span><span class="nx">CertificateAuthorityArn</span><span class="p">){</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">waitFor</span><span class="p">(</span><span class="dl">'</span><span class="s1">certificateAuthorityCSRCreated</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">CertificateAuthorityArn</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>When the PCA is created, it should be visible in the console:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fymo4nxwy9o3d2wnvbian.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fymo4nxwy9o3d2wnvbian.png" alt="Waiting State of the PCA"></a><br> As displayed, a CA Certificate needs to be installed, before the PCA is ready to use. To sign the PCA certificate, the Certificate Signing Request of the Certificate Authority is required, which can be retrieved via the AWS SDK:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pca</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">ACMPCA</span><span class="p">();</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getCSR</span><span class="p">(</span><span class="nx">CertificateAuthorityArn</span><span class="p">){</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">CSR</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">getCertificateAuthorityCsr</span><span class="p">({</span> <span class="nx">CertificateAuthorityArn</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="k">return</span> <span class="nx">CSR</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>To sign the Root CA Certificate, a issue request of a root CA Certificate has to be performed against the Certificate Authority. Previous attempts of issuing the certificate with OpenSSL failed, because AWS would not accept the generated certificate as a CA Root Certificate, hence the issuing is done via the API. The Certificate Authority needs the Certificate Signing Request and a few other parameters arranged like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pca</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">ACMPCA</span><span class="p">();</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">issueRootCertificate</span><span class="p">(</span><span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="nx">CSR</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">CACertParams</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="na">Csr</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">CSR</span><span class="p">),</span> <span class="na">SigningAlgorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHA256WITHRSA</span><span class="dl">"</span><span class="p">,</span> <span class="na">TemplateArn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">arn:aws:acm-pca:::template/RootCACertificate/V1</span><span class="dl">"</span><span class="p">,</span> <span class="na">Validity</span><span class="p">:</span> <span class="p">{</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">YEARS</span><span class="dl">"</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="mi">10</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">CertificateArn</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">issueCertificate</span><span class="p">(</span><span class="nx">CACertParams</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>After the Certificate is issued, it has to be imported in the CA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pca</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">ACMPCA</span><span class="p">();</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">importRootCertificate</span><span class="p">(</span><span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="nx">CertificateArn</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">Certificate</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">getCertificate</span><span class="p">({</span> <span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="nx">CertificateArn</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">importCertificateAuthorityCertificate</span><span class="p">({</span> <span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="na">Certificate</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">Certificate</span><span class="p">)</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>Now the CA should be ready for usage, which should be visible in the console:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fcq5gpnnoij87retrflns.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fcq5gpnnoij87retrflns.png" alt="Ready State of the PCA"></a></p> <p>Now, the CA is finally ready to issue certificates, which can be used for encrypting traffic. A certificate is issued like this (with the help of OpenSSL for generating the Certificate Signing Request):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pca</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">ACMPCA</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">util</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">util</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">exec</span> <span class="o">=</span> <span class="nx">util</span><span class="p">.</span><span class="nf">promisify</span><span class="p">(</span><span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">child_process</span><span class="dl">'</span><span class="p">).</span><span class="nx">exec</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">read</span> <span class="o">=</span> <span class="nx">util</span><span class="p">.</span><span class="nf">promisify</span><span class="p">(</span><span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">).</span><span class="nx">readFile</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">write</span> <span class="o">=</span> <span class="nx">util</span><span class="p">.</span><span class="nf">promisify</span><span class="p">(</span><span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">).</span><span class="nx">writeFile</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">privateKeyFile</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/tmp/private.key</span><span class="dl">"</span> <span class="kd">const</span> <span class="nx">CSRFile</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/tmp/CSR.csr</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// This is important for OpenSSL, otherwise it would exit with an error, because the .rnd File in the old Home dir is not writeable</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">HOME</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/tmp</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">issueCertificate</span><span class="p">(</span><span class="nx">CertificateAuthorityArn</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">exec</span><span class="p">(</span><span class="s2">`openssl req -nodes -newkey rsa:4096 -days 3600 -keyout </span><span class="p">${</span><span class="nx">privateKeyFile</span><span class="p">}</span><span class="s2"> -out </span><span class="p">${</span><span class="nx">CSRFile</span><span class="p">}</span><span class="s2"> -subj "/C=DE/O=SPIRIT21/CN=ExampleInternalCA"`</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">csr</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">read</span><span class="p">(</span><span class="nx">CSRFile</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">certParams</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="na">Csr</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">csr</span><span class="p">),</span> <span class="na">SigningAlgorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHA256WITHRSA</span><span class="dl">"</span><span class="p">,</span> <span class="na">Validity</span><span class="p">:</span> <span class="p">{</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DAYS</span><span class="dl">"</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="mi">3600</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">certData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">issueCertificate</span><span class="p">(</span><span class="nx">certParams</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> <span class="c1">// Sometimes the CA isn't finished with issuing the cert, </span> <span class="c1">// which is why we have to wait here, before getting the cert</span> <span class="k">await</span> <span class="nf">sleep</span><span class="p">(</span><span class="mi">500</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cert</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">getCertificate</span><span class="p">({</span> <span class="na">CertificateArn</span><span class="p">:</span> <span class="nx">certData</span><span class="p">.</span><span class="nx">CertificateArn</span><span class="p">,</span> <span class="nx">CertificateAuthorityArn</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="na">CertificateArn</span><span class="p">:</span> <span class="nx">certData</span><span class="p">.</span><span class="nx">CertificateArn</span><span class="p">,</span> <span class="na">Certificate</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>When everything is tied together and packaged as a handler it might look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pca</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">ACMPCA</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">util</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">util</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">exec</span> <span class="o">=</span> <span class="nx">util</span><span class="p">.</span><span class="nf">promisify</span><span class="p">(</span><span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">child_process</span><span class="dl">'</span><span class="p">).</span><span class="nx">exec</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">read</span> <span class="o">=</span> <span class="nx">util</span><span class="p">.</span><span class="nf">promisify</span><span class="p">(</span><span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">).</span><span class="nx">readFile</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">write</span> <span class="o">=</span> <span class="nx">util</span><span class="p">.</span><span class="nf">promisify</span><span class="p">(</span><span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">).</span><span class="nx">writeFile</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">exists</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">).</span><span class="nx">existsSync</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">privateKeyFile</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/tmp/private.key</span><span class="dl">"</span> <span class="kd">const</span> <span class="nx">CSRFile</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/tmp/CSR.csr</span><span class="dl">"</span><span class="p">;</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">HOME</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/tmp</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">caParams</span> <span class="o">=</span> <span class="p">{</span> <span class="na">CertificateAuthorityConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">KeyAlgorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RSA_2048</span><span class="dl">"</span><span class="p">,</span> <span class="na">SigningAlgorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHA256WITHRSA</span><span class="dl">"</span><span class="p">,</span> <span class="na">Subject</span><span class="p">:</span> <span class="p">{</span> <span class="na">Country</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DE</span><span class="dl">'</span><span class="p">,</span> <span class="na">Organization</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SPIRIT21</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">},</span> <span class="na">CertificateAuthorityType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ROOT</span><span class="dl">"</span><span class="p">,</span> <span class="na">RevocationConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">CrlConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">Enabled</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">testPCA</span><span class="p">(</span><span class="nx">arn</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">{</span> <span class="na">CertificateAuthorityArn</span><span class="p">:</span> <span class="nx">arn</span> <span class="p">};</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">getCertificateAuthorityCsr</span><span class="p">(</span><span class="nx">params</span><span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">sleep</span> <span class="o">=</span> <span class="nx">m</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="nx">m</span><span class="p">))</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">event</span><span class="p">,</span> <span class="nx">context</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">CertificateAuthorityArn</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nf">hasOwnProperty</span><span class="p">(</span><span class="dl">"</span><span class="s2">arn</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">CertificateAuthorityArn</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">arn</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">await</span> <span class="nf">testPCA</span><span class="p">(</span><span class="nx">CertificateAuthorityArn</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Generating PCA</span><span class="dl">'</span><span class="p">,</span> <span class="nx">caParams</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">CertificateAuthorityArn</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">createCertificateAuthority</span><span class="p">(</span><span class="nx">caParams</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">CertificateAuthorityArn</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Waiting for the CSR creation..</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">waitFor</span><span class="p">(</span><span class="dl">'</span><span class="s1">certificateAuthorityCSRCreated</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">CertificateAuthorityArn</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Getting CA-CSR now...</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">Csr</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">getCertificateAuthorityCsr</span><span class="p">({</span> <span class="nx">CertificateAuthorityArn</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">CA-CSR loaded, generating Root CA Cert</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">CACertParams</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="na">Csr</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">Csr</span><span class="p">),</span> <span class="na">SigningAlgorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHA256WITHRSA</span><span class="dl">"</span><span class="p">,</span> <span class="na">TemplateArn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">arn:aws:acm-pca:::template/RootCACertificate/V1</span><span class="dl">"</span><span class="p">,</span> <span class="na">Validity</span><span class="p">:</span> <span class="p">{</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">YEARS</span><span class="dl">"</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="mi">10</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">CertificateArn</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">issueCertificate</span><span class="p">(</span><span class="nx">CACertParams</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Root CA Cert generated</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Sometimes the CA is not done with issuing the cert, which is why we have to wait here, before getting the cert</span> <span class="k">await</span> <span class="nf">sleep</span><span class="p">(</span><span class="mi">500</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">CAcert</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">getCertificate</span><span class="p">({</span> <span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="nx">CertificateArn</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">CAcert</span><span class="p">);</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">importCertificateAuthorityCertificate</span><span class="p">({</span> <span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="na">Certificate</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">CAcert</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">)</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Root CA Cert imported</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// END CA GENERATION</span> <span class="c1">// CERTIFICATE GENERATION</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Generating CSR for new CA Cert</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nf">exec</span><span class="p">(</span><span class="s2">`openssl req -nodes -newkey rsa:4096 -days 3600 -keyout </span><span class="p">${</span><span class="nx">privateKeyFile</span><span class="p">}</span><span class="s2"> -out </span><span class="p">${</span><span class="nx">CSRFile</span><span class="p">}</span><span class="s2"> -subj "/C=DE/O=SPIRIT21/CN=ExampleInternalCA-Root"`</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">csr</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">read</span><span class="p">(</span><span class="nx">CSRFile</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">certParams</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">CertificateAuthorityArn</span><span class="p">,</span> <span class="na">Csr</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">csr</span><span class="p">),</span> <span class="na">SigningAlgorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHA256WITHRSA</span><span class="dl">"</span><span class="p">,</span> <span class="na">Validity</span><span class="p">:</span> <span class="p">{</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DAYS</span><span class="dl">"</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="mi">3600</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Generating Cert in CA</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">certData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">issueCertificate</span><span class="p">(</span><span class="nx">certParams</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> <span class="c1">// Again, the CA might not be ready.</span> <span class="k">await</span> <span class="nf">sleep</span><span class="p">(</span><span class="mi">500</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cert</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pca</span><span class="p">.</span><span class="nf">getCertificate</span><span class="p">({</span> <span class="na">CertificateArn</span><span class="p">:</span> <span class="nx">certData</span><span class="p">.</span><span class="nx">CertificateArn</span><span class="p">,</span> <span class="nx">CertificateAuthorityArn</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">cert</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">CertificateArn</span><span class="p">:</span> <span class="nx">certData</span><span class="p">.</span><span class="nx">CertificateArn</span><span class="p">,</span> <span class="na">Certificate</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">handler</span> <span class="p">};</span> </code></pre> </div> <p>Pay attention to setting the Lambda timeout on a greater value than 10 seconds, which was the mean execution time during testing. Also do not forget to set the Runtime to Node.js 8.10 or use a Lambda Layer with OpenSSL. Contrary to what one might expect the certificates issued by the Private Certificate Authority are not visible in the normal AWS Certificate Manager, so it is important to store the ARNs of the Certificates created too.</p> aws lambda javascript