DEV Community: Sanjeet Sahay The latest articles on DEV Community by Sanjeet Sahay (@sahays). https://dev.to/sahays https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F387007%2F5b1b8bc7-87ff-4507-b515-83e7bc1b52a9.jpeg DEV Community: Sanjeet Sahay https://dev.to/sahays en axios/got faceoff: uploading a file to Amazon WorkDocs using Amazon S3 pre-signed url Sanjeet Sahay Mon, 18 May 2020 22:11:56 +0000 https://dev.to/sahays/axios-got-faceoff-uploading-a-file-to-amazon-workdocs-using-amazon-s3-pre-signed-url-1hfo https://dev.to/sahays/axios-got-faceoff-uploading-a-file-to-amazon-workdocs-using-amazon-s3-pre-signed-url-1hfo <h2> Overview </h2> <p>If you are using <a href="https://aws.amazon.com/workdocs/?amazon-workdocs-whats-new.sort-by=item.additionalFields.postDateTime&amp;amazon-workdocs-whats-new.sort-order=desc">Amazon WorkDocs</a> as your managed cloud based content management and/or storage system, and if you are planning to automate tasks such as integrate it with other document/content storage systems, then you must have come across the use case of uploading a file. After some automation, you should be able to do this at scale. In a future post, I will share a detailed reference architecture on how to build such an integrated system. </p> <p>The following sections demonstrate the various aspects of the app, starting with setting up a simple Node.js app. However, there are some prerequisites </p> <ul> <li>AWS IAM user with sufficient privileges e.g. I am using my development account and I have created a user with admin privileges without AWS Management console access, and I rotate its access keys regularly. For more, read <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html">AWS IAM best practices</a> </li> <li>an existing <a href="https://www.youtube.com/watch?v=IMiA2euydn0">Amazon WorkDocs site</a> </li> <li> <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html">Install</a> and <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html">configure</a> AWS CLI with <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html">named profiles</a> </li> </ul> <h2> Initialize npm project </h2> <p>I have used the following commands to initialize a new npm project<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>➜ mkdir workdocs-sample &amp;&amp; cd workdocs-sample ➜ npm init ➜ npm install aws-sdk axios form-data got ➜ touch index.js </code></pre> </div> <p>After initialization, my folder structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>➜ workdocs-sample ls da-quiz-storage-result.pdf index.js node_modules package-lock.json package.json yarn.lock </code></pre> </div> <h2> Initialize the WorkDocs client </h2> <p>Setup AWS credentials in <code>index.js</code>. For more information, read <a href="https://dev.to/sahays/best-practices-to-use-aws-access-key-and-secret-in-your-development-environment-23ki">best practices to use AWS credentials in your development environment</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">aws-sdk</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">credentials</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SharedIniFileCredentials</span><span class="p">({</span> <span class="na">profile</span><span class="p">:</span> <span class="dl">"</span><span class="s2">default</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">credentials</span> <span class="o">=</span> <span class="nx">credentials</span><span class="p">;</span> </code></pre> </div> <p>In addition to that, you'll need the following declarations<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">got</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">got</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">FormData</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">form-data</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">workdocs</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">WorkDocs</span><span class="p">();</span> </code></pre> </div> <p>Finally, initialize the WorkDocs client<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">workdocs</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">WorkDocs</span><span class="p">();</span> </code></pre> </div> <h2> Steps to upload a file </h2> <p>To upload a file to a WorkDocs folder you need the following:</p> <ul> <li>a folder ID to upload <ul> <li>to get the root folder ID, you need to make a call to <code>describeUsers</code> API</li> <li>if you have created new folders at the root, then you need to call <code>describeFolderContents</code> with the root folder ID</li> </ul> </li> <li>call <code>initiateDocumentVersionUpload</code> with the folder ID, name of the file, and optionally, a content type. It returns an Amazon S3 pre-signed upload url, document ID, and a version ID among other things</li> <li>use <code>got</code> to upload the file to the returned <code>uploadUrl</code> </li> <li>call <code>updateDocumentVersion</code> with document ID, version ID, and set <code>VersionStatus</code> to <code>ACTIVE</code> </li> </ul> <h3> Get the root folder ID </h3> <p>Every user has a root folder which can contain one or more children - nothing fancy, just the usual nested folder structure. The root folder has an ID that can used to create folders inside it. Using the <code>describeUsers</code> API call, we'll get the root folder ID for the user defined by the <code>query</code> parameter. You can look up <code>OrganizationId</code> from your Amazon WorkDocs AWS console.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">describeUsers</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">workdocs</span> <span class="p">.</span><span class="nf">describeUsers</span><span class="p">({</span> <span class="na">OrganizationId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">d-92672xxxxx</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// your WorkDocs organization Id</span> <span class="na">Query</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sahays</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// name of an existing WorkDocs user</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <h3> Initialize upload </h3> <p>The following code uses <code>initiateDocumentVersionUpload</code> to initiate the process of uploading a file. The api requires <code>ParentFolderId</code> to upload the file to, and a <code>Name</code>. It returns a <code>documentId</code> for the document, <code>versionId</code> for the first version of the document, <code>uploadUrl</code> containing the Amazon S3 pre-signed url, and <code>signedHeaders</code> containing the <code>content-type</code> and <code>x-amz-server-side-encryption</code> encryption type.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">initUpload</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">folderId</span><span class="p">,</span> <span class="nx">filename</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">initUpload</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">contentType</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">application/octet-stream</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">initResult</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">workdocs</span> <span class="p">.</span><span class="nf">initiateDocumentVersionUpload</span><span class="p">({</span> <span class="na">ParentFolderId</span><span class="p">:</span> <span class="nx">folderId</span><span class="p">,</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">filename</span><span class="p">,</span> <span class="na">ContentType</span><span class="p">:</span> <span class="nx">contentType</span><span class="p">,</span> <span class="na">ContentCreatedTimestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="na">ContentModifiedTimestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">documentId</span> <span class="o">=</span> <span class="nx">initResult</span><span class="p">.</span><span class="nx">Metadata</span><span class="p">.</span><span class="nx">Id</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">versionId</span> <span class="o">=</span> <span class="nx">initResult</span><span class="p">.</span><span class="nx">Metadata</span><span class="p">.</span><span class="nx">LatestVersionMetadata</span><span class="p">.</span><span class="nx">Id</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">UploadUrl</span><span class="p">,</span> <span class="nx">SignedHeaders</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">initResult</span><span class="p">.</span><span class="nx">UploadMetadata</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">initUpload complete</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">documentId</span><span class="p">,</span> <span class="nx">versionId</span><span class="p">,</span> <span class="na">uploadUrl</span><span class="p">:</span> <span class="nx">UploadUrl</span><span class="p">,</span> <span class="na">signedHeaders</span><span class="p">:</span> <span class="nx">SignedHeaders</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">failed initUpload</span><span class="dl">"</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">e</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>The header looks like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/octet-stream</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">x-amz-server-side-encryption</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AES256</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <h3> Upload a file using <code>got</code> </h3> <p>The following code uses <code>got</code> <a href="https://www.npmjs.com/package/got">npm library</a> to upload a local file. Please note, we are using a <code>PUT</code> request. The file is appended to <code>FormData</code> using a file stream object. The headers retrieved from the previous call <code>initiateDocumentVersionUpload</code> is used to set a <code>PUT</code> request header.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">uploadFile</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">filename</span><span class="p">,</span> <span class="nx">signedHeaders</span><span class="p">,</span> <span class="nx">uploadUrl</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">filename</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">reading file stream</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fileStream</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">createReadStream</span><span class="p">(</span><span class="nx">filename</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">preparing form data</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FormData</span><span class="p">();</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nx">filename</span><span class="p">,</span> <span class="nx">fileStream</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">uploading to </span><span class="dl">"</span><span class="p">,</span> <span class="nx">uploadUrl</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">extendParams</span> <span class="o">=</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">signedHeaders</span><span class="p">,</span> <span class="p">};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">got extendParams</span><span class="dl">"</span><span class="p">,</span> <span class="nx">extendParams</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">got</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="nx">extendParams</span><span class="p">);</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">uploadUrl</span><span class="p">,</span> <span class="p">{</span> <span class="na">body</span><span class="p">:</span> <span class="nx">formData</span><span class="p">,</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">upload complete</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">file doesn't exist</span><span class="dl">"</span><span class="p">);</span> <span class="k">throw</span> <span class="dl">"</span><span class="s2">file doesn't exist</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">failed uploadFile</span><span class="dl">"</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">e</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> Update document version </h3> <p>This important step completes the file upload transaction by setting the <code>VersionStatus</code> to <code>ACTIVE</code> which tells Amazon WorkDocs to mark the just uploaded file as the most recent/active version.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">updateVersion</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">documentId</span><span class="p">,</span> <span class="nx">versionId</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">workdocs</span> <span class="p">.</span><span class="nf">updateDocumentVersion</span><span class="p">({</span> <span class="na">DocumentId</span><span class="p">:</span> <span class="nx">documentId</span><span class="p">,</span> <span class="na">VersionId</span><span class="p">:</span> <span class="nx">versionId</span><span class="p">,</span> <span class="na">VersionStatus</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ACTIVE</span><span class="dl">"</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">document version updated</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">failed updateVersion</span><span class="dl">"</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">e</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> Time for that faceoff: <code>got</code> vs <code>axios</code> </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--LEZm46_Q--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.pixabay.com/photo/2019/01/25/13/22/cars-3954498_1280.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--LEZm46_Q--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn.pixabay.com/photo/2019/01/25/13/22/cars-3954498_1280.jpg" alt="face/off" width="800" height="446"></a></p> <p>Let's take a look at <code>axios</code> invocation first.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">uploadUrl</span><span class="p">,</span> <span class="nx">formData</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">signedHeaders</span> <span class="p">});</span> </code></pre> </div> <p>This results in Amazon S3 rejecting the request with the following error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;Error&gt;</span> <span class="nt">&lt;Code&gt;</span>NotImplemented<span class="nt">&lt;/Code&gt;</span> <span class="nt">&lt;Message&gt;</span>A header you provided implies functionality that is not implemented<span class="nt">&lt;/Message&gt;</span> <span class="nt">&lt;Header&gt;</span>Transfer-Encoding<span class="nt">&lt;/Header&gt;</span> <span class="nt">&lt;RequestId&gt;</span>016D6B18F95E6923<span class="nt">&lt;/RequestId&gt;&lt;HostId&gt;</span>QgYnoYEQTZR4jG7wvdLfAe6lcd2Tg+/eAOeHLvtM+CamqyDxZX8p7CV4ZL+Hph7+IOUiFJkayT8=<span class="nt">&lt;/HostId&gt;</span> <span class="nt">&lt;/Error&gt;</span> </code></pre> </div> <p>The server returns a <code>501: not implemented</code> response<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">response</span><span class="p">:</span> <span class="p">{</span> <span class="nl">status</span><span class="p">:</span> <span class="mi">501</span><span class="p">,</span> <span class="nx">statusText</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Not Implemented</span><span class="dl">'</span><span class="p">,</span> <span class="nx">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">x-amz-request-id</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">016D6B18F95E6923</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">x-amz-id-2</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">QgYnoYEQTZR4jG7wvdLfAe6lcd2Tg+/eAOeHLvtM+CamqyDxZX8p7CV4ZL+Hph7+IOUiFJkayT8=</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/xml</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">transfer-encoding</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">chunked</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// extra header</span> <span class="nx">date</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Mon, 18 May 2020 22:00:24 GMT</span><span class="dl">'</span><span class="p">,</span> <span class="nx">connection</span><span class="p">:</span> <span class="dl">'</span><span class="s1">close</span><span class="dl">'</span><span class="p">,</span> <span class="nx">server</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AmazonS3</span><span class="dl">'</span> <span class="p">},...</span> <span class="p">}</span> </code></pre> </div> <p>Now, let's take a look at the <code>got</code> invocation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">extendParams</span> <span class="o">=</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">signedHeaders</span><span class="p">,</span> <span class="p">};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">got extendParams</span><span class="dl">"</span><span class="p">,</span> <span class="nx">extendParams</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">got</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="nx">extendParams</span><span class="p">);</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">uploadUrl</span><span class="p">,</span> <span class="p">{</span> <span class="na">body</span><span class="p">:</span> <span class="nx">formData</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>This results in a successful <code>200: OK</code> response with the same inputs</p> <h2> Bring it all together </h2> <p>The following is the entry point function that runs as a result of running index.js using <code>node index.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">start</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">describeUsers</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">rootFolderId</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">Users</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">RootFolderId</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">filename</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">da-quiz-storage-result.pdf</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">documentId</span><span class="p">,</span> <span class="nx">versionId</span><span class="p">,</span> <span class="nx">uploadUrl</span><span class="p">,</span> <span class="nx">signedHeaders</span><span class="p">,</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">initUpload</span><span class="p">({</span> <span class="na">folderId</span><span class="p">:</span> <span class="nx">rootFolderId</span><span class="p">,</span> <span class="nx">filename</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">uploadFile</span><span class="p">({</span> <span class="nx">filename</span><span class="p">,</span> <span class="nx">signedHeaders</span><span class="p">,</span> <span class="nx">uploadUrl</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">updateVersion</span><span class="p">({</span> <span class="nx">documentId</span><span class="p">,</span> <span class="nx">versionId</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="nf">start</span><span class="p">();</span> </code></pre> </div> <h2> Finally </h2> <p>After running <code>node index.js</code> in your terminal, you'll see an output similar to the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>initUpload initUpload complete reading file stream preparing form data uploading to https://gb-us-west-2-prod-doc-source.s3.us-west-2.amazonaws.com/1b45f47aa1c4d1d1c1f0978587e10f1e56ce801824ca5d5fce0565dea6f76baf/1589767973739-0d3c7a46986cfe7d0fd8beec8258628a8b6ca0e9b0f412afafcdaf9c6aa7a00e?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Date=20200518T021253Z&amp;X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-server-side-encryption&amp;X-Amz-Expires=900&amp;X-Amz-Credential=AKIAIM5HWZT6CVS2WHIA%2F20200518%2Fus-west-2%2Fs3%2Faws4_request&amp;X-Amz-Signature=025e9ed29fe7f8ab85593c51a4a09b396909de47ea1e893148df14e3435ea080 got extendParams { headers: { 'Content-Type': 'application/octet-stream', 'x-amz-server-side-encryption': 'AES256' } } upload complete document version updated </code></pre> </div> <p>The file <code>da-quiz-storage-result.pdf</code> is now uploaded as shown in this screenshot:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fo7yyi960mz0217ibf13e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fo7yyi960mz0217ibf13e.png" alt="uploaded-file" width="800" height="221"></a></p> aws javascript productivity Best practices to use AWS access key and secret in your development environment Sanjeet Sahay Sun, 17 May 2020 17:36:01 +0000 https://dev.to/sahays/best-practices-to-use-aws-access-key-and-secret-in-your-development-environment-23ki https://dev.to/sahays/best-practices-to-use-aws-access-key-and-secret-in-your-development-environment-23ki <p>If you are an AWS developer and are using AWS services in your app, then you must have found yourself looking for the best way to securely store and access your AWS credentials. To keep our AWS account secure, it's important for us to understand the AWS shared responsibility model.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fd1.awsstatic.com%2Fsecurity-center%2FShared_Responsibility_Model_V2.59d1eccec334b366627e9295b304202faf7b899b.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fd1.awsstatic.com%2Fsecurity-center%2FShared_Responsibility_Model_V2.59d1eccec334b366627e9295b304202faf7b899b.jpg" alt="shared responsibility model"></a><br> In a nutshell, it states that AWS is responsible for the security <em>of</em> the cloud and us, the customers, are responsible for the security <em>in</em> the cloud. Simply put, for developers, it means that we should take special care of our AWS credentials like Access key ID and Secret Access Key. </p> <p>If you are new to AWS, use the references section below for more information.</p> <h2> 1. Anti-pattern: Hardcoding credentials </h2> <p>This is an anti-pattern and <em>must be avoided</em> at all costs. If your code looks like the following then you must act now</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">aws-sdk</span><span class="dl">"</span><span class="p">);</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">credentials</span><span class="p">:</span> <span class="p">{</span> <span class="na">access_key_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">&lt;your-access-key-id&gt;</span><span class="dl">"</span><span class="p">,</span> <span class="na">secret_access_key</span><span class="p">:</span> <span class="dl">"</span><span class="s2">&lt;your-secret-access-key&gt;</span><span class="dl">"</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <h3> 1.1. Why is this bad? </h3> <p>As a developer, you are most likely to commit this code in some repository like a private GitHub repo or your team repository such as BitBucket or AWS CodeCommit. Besides running a risk of using an anti-pattern, you don't want someone to access your hard-coded keys, because it will allow them to access/manage all the resources that these credentials provide access to. If the IAM policy attached to the user whose credentials you are using looks like the following, it means that you have handed over the keys to your AWS kingdom to anybody who has access to your code</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 1.2. How do I mitigate? </h3> <p>If you think that you can't make changes to your code, then you must modify the IAM policy attached to that role or move them to an IAM group with restrictive privileges e.g. IAM policy that grants least privileges to only a given Amazon S3 bucket:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ListYourObjects"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"arn:aws:s3:::bucket-name"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ReadWriteDeleteYourObjects"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:DeleteObject"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"arn:aws:s3:::bucket-name"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 2. Look ma, no hardcoded credentials </h2> <p>With that anti-pattern out of the way, you may take one of the following approaches to use your AWS credentials.</p> <h3> 2.1. Use environment variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> $ export AWS_ACCESS_KEY_ID="&lt;your-access-key-id&gt;" $ export AWS_SECRET_ACCESS_KEY="&lt;your-secret-access-key&gt;" </code></pre> </div> <p>then, in your JavaScript/Node.js app, use the following</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">aws-sdk</span><span class="dl">"</span><span class="p">);</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">credentials</span><span class="p">:</span> <span class="p">{</span> <span class="na">access_key_id</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_ACCESS_KEY_ID</span><span class="p">,</span> <span class="na">secret_access_key</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_SECRET_ACCESS_KEY</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <h3> 2.2. Use AWS profile </h3> <p>You can use AWS named profiles to store more than one credential. You can inspect the following two files:</p> <ul> <li> <code>~/.aws/credentials</code>: contains <code>aws_access_key_id</code> and <code>aws_secret_access_key</code> </li> <li> <code>~/.aws/config</code>: contains <code>region</code> and <code>output</code> </li> </ul> <p>My <code>~/.aws/credentials</code> file looks like the following and it shows that I am using 2 profiles: <code>default</code> and <code>personal</code></p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> [default] aws_access_key_id = "&lt;your-access-key-id&gt;" aws_secret_access_key = "&lt;your-secret-access-key&gt;" [personal] aws_access_key_id = "&lt;your-access-key-id&gt;" aws_secret_access_key = "&lt;your-secret-access-key&gt;" </code></pre> </div> <p>My <code>~/.aws/config</code> file looks like the following:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> [default] region = us-west-2 output=json [profile personal] region = us-west-2 output = json </code></pre> </div> <p>If I want to use my default account, I can use the following code:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <p><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">aws-sdk</span><span class="dl">"</span><span class="p">);</span><br> <span class="kd">const</span> <span class="nx">credentials</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SharedIniFileCredentials</span><span class="p">({</span> <span class="na">profile</span><span class="p">:</span> <span class="dl">"</span><span class="s2">default</span><span class="dl">"</span> <span class="p">});</span><br> <span class="nx">AWS</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">credentials</span> <span class="o">=</span> <span class="nx">credentials</span><span class="p">;</span></p> </code></pre> </div> <h2> <br> <br> <br> What about my code running in Amazon EC2, AWS Lambda?<br> </h2> <p>I have 3 words for you: "Use IAM roles". </p> <p>If you have your code running in a Docker container on an Amazon EC2 instance, then understand that every single process on the system has access to IAM roles and your container will assume that role without you having to specify it.</p> <h2> Conclusion </h2> <p>For my development environment, I have found the latter approach of using AWS profiles and using them to access credentials in code better than having to export it. The code is much cleaner and doesn't change if I rotate my keys. All I need to do is to run <code>aws configure</code> on my developer workstation and be done with it. Also, it saves me from the anti-pattern of hard-coding credentials in my code. <em>However</em>, this approach means that you may have to change the code or write conditional code (rarely a good practice) or use environment specific files for your non-development environments where the profile may or may not exist. If you run into such a decision making process, using the environment variable approach is the way to go.</p> <h2> References </h2> <ul> <li><a href="https://aws.amazon.com/iam/faqs/" rel="noopener noreferrer">AWS IAM getting started</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" rel="noopener noreferrer">AWS IAM best practices</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html" rel="noopener noreferrer">AWS IAM roles</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html" rel="noopener noreferrer">AWS IAM policies</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html" rel="noopener noreferrer">AWS IAM users and groups</a></li> <li><a href="https://aws.amazon.com/compliance/shared-responsibility-model/" rel="noopener noreferrer">AWS shared responsibility model</a></li> <li><a href="https://eng.lyft.com/scoping-aws-iam-roles-to-docker-containers-c9c5f8f2f75" rel="noopener noreferrer">Scoping IAM in Docker containers</a></li> <li><a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" rel="noopener noreferrer">AWS CLI Named profiles</a></li> <li><a href="https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-shared.html" rel="noopener noreferrer">Loading credentials in Node.js</a></li> </ul> aws security javascript