Using token based access to make Ethereum API calls to Ethereum nodes in Amazon Managed Blockchain - Amazon Managed Blockchain

Using token based access to make Ethereum API calls to Ethereum nodes in Amazon Managed Blockchain

The token based access feature is in preview release for Ethereum on Amazon Managed Blockchain and is subject to change. We recommend that you use this feature only with test scenarios, and not in production environments.

You can also use Accessor tokens to make Ethereum API calls to an Ethereum node as a convenient alternative to the Signature Version 4 (SigV4) signing process. You must provide a BILLING_TOKEN from one of the Accessor tokens that you create as a query parameter with the call.

Important
  • If you prioritize security and auditability over convenience, use the SigV4 signing process instead.

  • You can access the Ethereum APIs using Signature Version 4 (SigV4) and token based access. However, if you choose to use both protocols, then any security benefits that are provided by using SigV4 are negated.

  • IAM policies don’t apply to Ethereum API calls. IAM permissions policies only apply to Amazon Managed Blockchain API operations such as creating, deleting, and managing Accessor tokens.

  • Never embed Accessor tokens in user-facing applications.

In the console, the Token Accessors page displays a list of all the Accessor tokens that you can use to make Ethereum API calls to nodes in your AWS account from code on a client. There are separate endpoints for HTTP connections and WebSocket connections.

To learn more about how to make Ethereum API calls using token based access with your Accessor tokens, see:

You can create and manage Accessor tokens using the Ethereum on Managed Blockchain console. You can also create and manage Accessor tokens using the following API operations: CreateAccessor, GetAccessor, ListAccessors, and DeleteAccessor. An Accessor token object is a container that has information that's required for token based access to Ethereum nodes in your AWS account. A billing token is also created when you create an Accessor object. This billing token is used to track your Accessor token for billing Ethereum API requests made to Ethereum nodes in your AWS account.

All API actions related to creating and managing Accessor tokens are available through the AWS CLI and SDKs.

Creating an Accessor token for token based access

You can create an Accessor token and use it to make Ethereum API calls on any Ethereum node in your AWS account.

  1. Open the Managed Blockchain console at https://console.aws.amazon.com/managedblockchain/.

  2. Choose Token Accessors.

  3. Choose New to create a new Accessor token.

aws managedblockchain create-accessor --accessor-type BILLING_TOKEN

The previous command returns the AccessorId along with the BillingToken, as shown in the following example.

{ "AccessorId": "ac-NGQ6QNKXLNEBXD3UI6XFDIL3VA", "BillingToken": "jZlP8OUI-PcQSKINyX9euJJDC5-IcW9e-nm1NyKH3n" }

The key element in the response is the BillingToken. You can use this property to make Ethereum API calls to your Ethereum nodes.

Note

You can use BillingToken to make Ethereum API calls to all the nodes owned by the AWS account that created the Accessor token.

Viewing an Accessor token details

You can view the properties for each Accessor token that your AWS account owns. For example, you can view the Accessor ID or the Amazon Resource Name (ARN) of the Accessor. You can also view the status, the type, the creation date, and the BillingToken.

  1. Open the Managed Blockchain console at https://console.aws.amazon.com/managedblockchain/.

  2. In the navigation pane, choose Token Accessors.

  3. Choose the Accessor ID of the token from the list.

Run the following command to view the details of an Accessor token. Replace values of --accessor-id with your Accessor ID.

aws managedblockchain get-accessor --accessor-id ac-NGQ6QNKXLNEBXD3UI6XFDIL3VA

The BillingToken and other key properties are returned as shown in the following example.

{ "Accessor": { "Id": "ac-NGQ6QNKXLNEBXD3UI6XFDIL3VA", "Type": "BILLING_TOKEN", "BillingToken": "jZlP8OUI-PcQSKINyX9euJJDC5-IcW9e-nm1NyKH3n", "Status": "AVAILABLE", "CreationDate": "2022-01-04T23:09:47.750Z", "Arn": "arn:aws:managedblockchain:us-east-1:251534485660:accessors/ac-NGQ6QNKXLNEBXD3UI6XFDIL3VA" } }

Deleting an Accessor token

When you delete an Accessor token, the token changes from the AVAILABLE to the PENDING_DELETION status. You can't use an Accessor token with the PENDING_DELETION status for WebSocket requests and HTTP requests.

Note

WebSocket connections that were initiated while the Accessor token was in AVAILABLE status might remain open for up to 2 hours after they expire. An Accessor token with the PENDING_DELETION status eventually becomes unavailable through GetAccessor calls. Within 48 hours, it also disappears from ListAccessor results.

  1. Open the Managed Blockchain console at https://console.aws.amazon.com/managedblockchain/.

  2. In the navigation pane, choose Token Accessors.

  3. Select the Accessor token that you want from the list.

  4. Choose Delete.

  5. Confirm your choice.

The following example shows how to delete a token. Use the delete-accessor command to delete a token. Set the value of --accessor-id with your Accessor ID.

Deleting an Accessor token using the AWS CLI

aws managedblockchain delete-accessor --accessor-id ac-NGQ6QNKXLNEBXD3UI6XFDIL3VA

If this command runs successfully, no messages are returned.