Developer Documentation

Appearance

API Gateway and Lambda Integration

The integration between API Gateway and Lambda forms the core of our Ethereum signing service architecture. This setup ensures secure and efficient routing of transaction signing requests to the appropriate Lambda function.

API Gateway Setup Overview

The API Gateway setup process involves several key steps:

  1. Create REST API: A new REST API is created specifically for the Ethereum signing service.

  2. Define Resources: A "/sign" resource is defined, representing the endpoint for transaction signing requests.

  3. Configure Method: A POST method is set up on the "/sign" resource, as transaction signing requests involve sending data.

  4. Lambda Integration: The POST method is integrated with our Lambda function using AWS_PROXY integration type, allowing for seamless request and response handling.

  5. Deploy API: The API is deployed to a "prod" stage, making it accessible to organizations.

  6. Set Permissions: Lambda resource-based policies are configured to allow invocation by API Gateway.

Workflow

This setup ensures that when an organization sends a POST request to the "/sign" endpoint:

  1. API Gateway receives and authenticates the request using AWS IAM.
  2. The request is proxied to the Lambda function.
  3. Lambda executes the signing logic, interacting with Secrets Manager to retrieve the organization's mnemonic.
  4. The signed transaction is returned through API Gateway to the organization.

Security Considerations

  • AWS IAM Authorization: The API is configured to use AWS IAM for authorization, ensuring that only authenticated and authorized users can access the signing endpoint.
  • HTTPS: All communications with the API Gateway are encrypted using HTTPS.
  • Lambda Proxy Integration: By using AWS_PROXY integration, we ensure that the full request is passed to Lambda, and the full response from Lambda is returned to the client, maintaining end-to-end security.
  • Resource Policy: The API Gateway resource policy is configured to allow access only from specified AWS accounts or IAM users.

Scalability and Performance

  • Auto-scaling: API Gateway and Lambda both auto-scale to handle varying loads, ensuring high availability and performance.
  • Caching: API Gateway offers caching capabilities, which can be enabled if needed to improve performance for repeated requests.
  • CloudWatch Integration: Both API Gateway and Lambda integrate with CloudWatch, allowing for comprehensive monitoring and logging of the service.
  • Throttling: Request rate throttling can be implemented at the API Gateway level to protect the backend systems from traffic spikes.

Monitoring and Logging

  • Access Logs: API Gateway access logs can be enabled to track detailed information about requests made to the API.
  • Execution Logs: Lambda execution logs are automatically stored in CloudWatch Logs, providing insights into function execution.
  • Metrics: Custom metrics can be created in CloudWatch to monitor specific aspects of the API and Lambda function performance.

By leveraging these AWS services and configurations, we've created a secure, scalable, and efficient Ethereum transaction signing service that maintains strict isolation between different organizations while providing a seamless experience for users. The API Gateway serves as a robust front door for the service, handling authentication, request routing, and integration with the Lambda function that performs the actual transaction signing.