Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
panda-sky
Advanced tools
Quicky publish severless APIs to AWS.
Install panda-sky
as a global package, granting you access to the sky
executable.
npm install -g panda-sky
Make sure you have an AWS account, and that you store your credentials at
~/.aws/credentials
.
If you don't have an Amazon Web Services (AWS) account currently, stop here, go signup and get CLI access credentials and then come back here.
These commands will take you from start to functioning deployment that you can iterate on.
mkdir hello-sky && cd hello-sky
npm init
sky init
sky build
sky publish staging
In about 60 seconds, you will see a message like this:
Your API is online and ready at the following endpoint: https://.execute-api.us-west-2.amazonaws.com/staging
If you direct your browser to https://.execute-api.us-west-2.amazonaws.com/staging/greeting/World, you will see the test message from the API you just deployed. Adding your name to the URL path will change the page, a simple demonstration dynamic behavior.
You can also view a description of the API by directing a request against the API root, https://.execute-api.us-west-2.amazonaws.com/staging
This is a slightly more detailed walkthrough that includes how to give your application a custom domain and have Panda Sky setup the Route53 routing on your behalf.
mkdir greeting-api && cd greeting-api
npm init
sky init
Panda Sky needs a package.json
to anchor your project's dependencies when it gathers them and sends them to AWS to be used within a Lambda. sky init
gives you the starter files for a project.
Edit your api.yaml
. This file is the authoritative description of your API. Panda Sky uses it to build an API within the API Gateway platform. Each method is mapped to a corresponding Lambda that gets invoked when the method's handler recieves an HTTP request.
resources:
greeting:
path: "/greeting/{name}"
description: Returns a greeting for {name}.
methods:
get:
method: GET
signature:
status: 200
accept: text/html
Add a JavaScript file under src/sky.js
:
Lambdas execute Javascript code compatible with Node 6.10. Lambdas accept context from the corresponding Gateway method's HTTP request. After executing arbitrary code, the result is returned in the callback and sent as the response in the Gateway method.
The code snippet below shows a section of the template code sky init
drops
into your repo. This method is invoked when the GET
method is used in a
request against the greeting
resource. Edits here affect the API's response.
API[`${fullName}-greeting-get`] = async( function*(data, context, callback) {
var message, name;
name = data.name || "World";
message = `<h1>Hello, ${name}!</h1>`;
message += "<p>Seeing this page indicates a successful deployment of your test API with Panda Sky!</p>";
return callback(null, message);
});
Panda Sky supports the injection of environmental variables into your Lambda's context. These can be accessed from the process
Node variable.
Currently within api.yaml, however this may be moved into sky.yaml so they can be set on a per-environment basis.
variables:
foobar: This optional value is injected into the Lambda context
sky.js
var {foobar} = process.env;
Panda Sky comes with helpers to ease development within a Lambda environment:
# Import Panda Sky Helpers
{response, s3} = require "panda-sky-helpers"
s3
is a wrapper around the AWS SDK library for S3.{get, put, del} = s3 BucketName
data = yield get "foobar.yaml"
The get
, put
, and del
methods do what they say. They are promises you can either chain .then
or use ES6's yield / generator construct with. They are very thin wrappers, either succeeding or returning an error directly from the AWS library.
To invoke a given response within a Lambda, use the response class from Panda Sky
# Import Panda Sky Helpers
{response} = require "panda-sky"
new response.NotFound("Unable to locate the blog post in the database")
new response.Unauthorized("You must login to access this resource")
new response.ServiceUnavailable("Try again in 30 minutes")
It takes the form:
new response.<Response Type>(<Optional message>)
Note that responses must be explicitly definied within the API description.
In order to publish your API to production, you need a domain to publish it to. You need to tell AWS about it and acquire an SSL (TLS) cert.
Add the name of your API and the domain to your sky.yaml
file:
This file tracks the overall configuration for your app. Panda Sky divides configuration between "environments" to group related config within one cli target. It allows you to switch your environment target without repeatedly editing this file.
The cache
stanza holds configuration for CloudFront distributions, which
provides both edge caching for your API responses and custom domain assignment.
Please note that setting up a distribution is time-intensive. It can take 15-30
minutes to setup and sync your allocation across AWS's global constellation of
edge servers.
name: greeting
description: Greeting API
aws:
runtime: nodejs6.10
domain:
- greeting.com
region: us-west-2
environments:
staging:
hostnames:
- staging-api
production:
hostnames:
- api
cache:
expires: 1800
priceClass: 100
Publish your lambdas and their associated Gateway.
sky publish staging
Your environment's custom domain is treated as a seperate resource. Publishing it will take a while (~30 minutes), but Sky (and AWS) are doing a lot for you. In addition to a custom domain with TLS termination, CloudFront is synchronizing an edge cache among servers deployed across the planet.
curl https://staging-api.greeting.com/greeting/Ace
Hello, Ace!
Panda Sky is in beta.
FAQs
Quickly publish serverless applications in the cloud.
We found that panda-sky demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.