Amazon SimpleDB for Windows Phone Part 3 — Token Vending Machine

One important aspect of accessing SimpleDB on a Windows Phone directly is that it isn’t going through another service that can handle securing the credentials needed to access SimpleDB. SimpleDB, like most (if not all) AWS services, requires two pieces of information to secure a request of the service: AWS Access Key ID and Secret Key. These are two pieces of data that I would rather not put on a device that people carry around with them. Amazon agrees.

Amazon has something called the AWS Security Token Service (STS) and a reference application called the Token Vending Machine (TVM). The STS can provide temporary credentials in place of the actual credentials of an AWS account. These credentials can be tailored to provide specific access to specific services and resources and most importantly are time limited. They expire and not a moment too soon. But to use the STS, a web service like the TVM is needed to accept connections and hand out the temporary credentials.

I’m Being Cheap
My goal for this experiment was to provide a multiuser experience without having to put up any money or worry about running any servers. At least until I could see how the app was paying for itself and how resource intensive the app is. Microsoft’s Azure was my first choice as I have a lot of experience with SQL Server, ASP.NET, etc. However, even with the smallest instance type, Azure costs money. I’m not in the BizSpark program, so I don’t have any free hours available to me. So Azure is out.

My second option was to get a cheap hosting account and do something similar to Azure, just in a shared hosting environment; a MVC web service to a SQL Server backend. But even this option costs more money than I wanted to put out. I really wanted to spend $0 on this both now and in the months to come. (I’m not including my time in the cost calculation. Clearly.)

Looking over Amazon’s Elastic Compute Cloud (EC2) product, I found that they have a 1 year offer for a free tier. Here’s what that free tier comes with:

  • 750 hours of EC2 running Linux/Unix Micro instance usage
  • 750 hours of Elastic Load Balancing plus 15 GB data processing
  • 10 GB of Amazon Elastic Block Storage (EBS) plus 1 million IOs and 1 GB snapshot storage
  • 15 GB of bandwidth out aggregated across all AWS services
  • 1 GB of Regional Data Transfer
No Windows in sight. Boorah. At this point, I started to resign myself to either spending some money or moving outside of my comfort zone. Looking over the TVM application, I noticed that this is deployed using the AWS Elastic Beanstalk and can run in a micro linux/unix instance. SimpleDB usage is free for the amount of data that this app will use and Elastic Beanstalk itself doesn’t cost any money. The resources you use to run the application are what costs money, ie. EC2.
Getting the TVM Going
The TVM reference application is a web service written in Java running on Tomcat. I hadn’t used Java since 1999, but I use C# daily so I wasn’t completely out of my element. I agreed that this could be a good way to meet my goals for the application and, hey, I’d probably learn something. The installation instructions for the TVM are great. Following them was a breeze and in no time I had a TVM running on a micro EC2 instance in the cloud. For free.

The TVM has two modes for retrieving temporary credentials: Anonymous and Identity. In my case, Anonymous was the mode I wanted to use as the app I’m using it on does not span devices. I only care about the device itself being able to get credentials. Communicating with the TVM in anonymous mode is a 3 step process as shown in Amazon’s diagram:

First the device is registered with the TVM, then if there are no credentials or existing credentials have expired, the TVM is asked for a new set of credentials. The TVM will then send back a set of encrypted credentials (I’ll go over the encryption in Part 4). Again, Fiddler came in very handy debugging this part of the process. One of the first things I learned how to do was to check the logs of the application.

Screenshot of the TVM application showing how to get the logs.When debugging the TVM application, this is the first line of defense. Check the logs to see what errors the application is throwing.

Once the app is getting valid credentials, those credentials are sent to SimpleDB in a different way than with known static credentials. On page 24 of the Amazon SimpleDB Developer Guide (PDF), Amazon explains how the request will differ from a “standard” one:

Format of how a temporary credential request is formed against SimpleDB.

The request is similar to a standard request. There’s still an AWSAccessKeyId, but this one is the temporary one sent back from the TVM. Additionally, instead of signing the request with a known secret key, the request is signed with the SecretKeyId sent from the TVM. Those parts are essentially the same, but also needed is the Security Token retrieved from the TVM. Beyond sending these pieces of information, the request to SimpleDB is the same. The rest of the SimpleDB access code doesn’t change.

Amazon currently provides an AWS Android SDK and an AWS iOS SDK that include samples of how to communicate with the reference TVM. As I said in Part 1, they don’t have a WP7 SDK. Having the Android SDK is good for reference purposes and to see how the system is supposed to work in a mobile environment.

I’ll get into some code in Part 4, but this serves as a general overview of the Token Vending Machine and how I intend on interacting with it on Windows Phone.

Missed the rest of the series? Check ‘em out:

Amazon SimpleDB for Windows Phone Part 1 – Signature Amazon SimpleDB for Windows Phone Part 2 — Using Fiddler