A Better (?) AWS Serverless Notebook

I think using lambda’s does not make sense, as Observable is already a Javascript environment and IDE. I think a native solution is better. Now the secrets story is done it is now possible to use the AWS SDK authenticated with secret credentials sorta in the same notebook.

AWS was much easier than GCP as it turns out. GCP client libraries don’t work in browser, but a good number of AWS ones do. I guess the blessed GCP libraries for browser is Firebase, which honestly is the easiest of all of them.

3 Likes

I also did it a slightly different way with the notebook connecting to AWS directly but getting a token from the backend.


The other advantage of that one was the endpoint was secured with an Argon2 password hash, which is quite an easy layer of security to add.
1 Like

I have refined my thinking with AWS. With resource tagging + user tags, you can express per user or project based isolation in an s3 bucket dynamically. This gives you an attributed based fine grained permission model without requiring API gateway. It pairs well with the above techniques for credential managment.

I have now published an AWS helper notebook that wraps the AWS browser SDK with methods for creating users and tagging them, as well as creating s3 objects and tagging them. I hope it helps others add persistence to their notebooks. This permissions model of a tagged user would suit internal tools, where the number of IAM users is bounded (AWS IAM user limit is 5000)

https://observablehq.com/@tomlarkworthy/aws

(BTW this work was a byproduct of a commercial engagement. So we should all abstractly thank the client for letting me release this stuff into the commons)

3 Likes