Breaking Change: Modifications to AWIS and Alexa Top Sites services

[eladnava]

Hey guys, Just got this e-mail from AWS stating that root IAM account keys will no longer work for authenticating against AWIS.

AWIS will start requiring an AWIS-policy-granted IAM user instead of the root account user, but only through its Auth v4 API.

Seeing as this package does not use the Auth v4 way of authenticating against AWIS (with the Authorization header), this is a breaking change and AWS has only granted about 40 days for us to comply with it.

An example Auth v4 request is detailed here: http://docs.aws.amazon.com/AlexaWebInfoService/latest/ApiReference_UrlInfoAction.html

The e-mail from AWS:

Hello,

In accordance with AWS security guidelines, the Alexa Web Information Service and Alexa Top Sites API’s now support the use of IAM credentials. The support for using root account credentials to access these services will be discontinued on January 31, 2018.

In order to continue using the Alexa Web Information Service and Alexa Top Sites services, you will be required to create an IAM user in your AWS account and make slight code changes anywhere your applications make calls to these API’s. Our code samples (AWIS[1], Alexa Top Sites[2]) and documentation (AWIS[3], Alexa Top Sites[4]) have been updated to reflect these changes.

Migration to the new request format must be completed by January 31, 2018.

If you have any questions or concerns about these changes, you have 2 options for contacting Alexa.com support:

1. If you have an Alexa.com account, please login to https://www.alexa.com/help and submit a help request.
2. Post to the relevant API forum (AWIS, Alexa Top Sites).

We apologize for any inconvenience this may cause. Thank you for your continued use of Alexa's API and for helping us make this service more secure.

[1] https://aws.amazon.com/code/AWIS
[2] https://aws.amazon.com/code/Alexa-Top-Sites/
[3] https://aws.amazon.com/documentation/awis/
[4] https://aws.amazon.com/documentation/alexa-top-sites/

Sincerely,
Amazon Web Services

@lupomontero Is modifying this library to work with Auth v4 feasible? Is this something you would have time to do?

[eladnava]

@lupomontero Hope you're doing great. Did you get a chance to look at this mate?

[eladnava]

Hi @lupomontero, Hope you're doing great!

I see that you self-assigned this, would just like to bring to your attention that in 14 days, the breaking change takes effect and the library will fail in production for everyone.

Please let me know if you will not be able to find time to work on this so that I will submit a PR instead.

[eladnava]

Hi @lupomontero, Hope you're doing great.

A reply from you would be greatly appreciated. There are just 8 days left until the breaking change hits production.

Even a reply mentioning that you won't be able to work on it is fine. Just let us know so that we have sufficient time to develop a fix.

Thanks, Elad

[Janpot]

@lupomontero @eladnava I went ahead and opened https://github.com/wrangr/awis/pull/21 Tests still fail for should allow apostrophe in path when doing CategoryBrowse. No matter how I encode, it doesn't seem to accept the Path parameter. If any of you could lend a second pair of eyes on this test? I'm not using that part of the API and I don't have enough free time right now to devote on this.

[eladnava]

@Janpot looks awesome brother. Well done! 👍

Just wondering about line 137: https://github.com/wrangr/awis/pull/21/files#diff-168726dbe96b3ce427e7fedce31bb0bcR137

Is the us-west-1 region hard-coded in the API endpoints intentionally? Are there any adverse effects to doing this?

In any case, I have a feeling @lupomontero will not be around to review, merge, and publish this to npm in time for the breaking change.

Do you want to publish a temporary package to npm with the commits you made? If not, I'll be happy to do it as well.

[Janpot]

Is the us-west-1 region hard-coded in the API endpoints intentionally?

Yes, aws4 uses us-east-1 as a region by default. This didn't work. The code samples provided by Amazon all used us-west-1 which worked for me.

It also looks right now that it works even without adding the policy.

right now we're importing it as

"awis": "git://github.com/Woorank/awis.git#aws-sign-v4",

We'll publish a version in a few weeks if @lupomontero stays inactive. You are free to publish a version if you don't want to import github dependencies.

[eladnava]

@Janpot Regarding the region, sounds good.

The breaking change that your PR addresses becomes active in January 31st, in just a few days time.

I will be happy to publish your fix as a new package in the meantime if you don't mind as I would like my production app to be able to access awis without failure after the breaking change. 👍

[eladnava]

Awesome, just published awis-sign-v4 that includes your PR. 👍

Just tested and it works perfectly! Even with an IAM user with the awis:GET permission: https://docs.aws.amazon.com/AlexaWebInfoService/latest/MakingRequestsChapter.html

Cheers @Janpot 🎉

When this gets merged by @lupomontero I'll go back to using awis in production. As a reminder, the breaking change goes into effect tomorrow!

[lupomontero]

@eladnava and @Janpot: many apologies for the extended silence... 😢

I have been incredibly busy and had not had the time to review this until today. I finally reviewed the pending PR and merged it into master 🚀

WRT the failing tests (the one about the apostrophe), I have simply skipped it for now... I spent a little while just now trying to figure it out, but can't seem to...

On a different note, would any of you guys volunteer to help maintain this repo?

[lupomontero]

I have just released a new version with the changes. Can you guys confirm whether this fixes the issue? Thanks!

[eladnava]

Hi @lupomontero, I can confirm the new version of awis works. 👍

[HiFaraz]

Thank you @lupomontero!

@eladnava can you note in your new module that it is deprecated then?

[eladnava]

Absolutely: https://www.npmjs.com/package/awis-sign-v4