Support long-term service token

[victorskl]

Context:

So far, we have:

• short-lived JWT for PAT (personal access token) through Portal UI -- ditto JWT Authorizer
• bulit-in IAM which required Signature v4 singed request -- ditto IAM Authorizer

Use Cases:

• Need longer-live access token or API key, especially service-to-service integration for downstream app automation

Actions:

• Find a solution

Hint: we could already made use of "refresh token" from Cognito JWT authorizer issuer. Read OAuth Refresh Token. If going this route, then changes might be just needed at Portal UI; which already with Amplify library and, just need way (a view) to exposing it.

[victorskl]

This is on-hold for 3 reasons:

• Using Cognito Refresh Token makes Portal need to track the issued refresh token; in order to facilitate token revocation (i.e. to invalidate already issued tokens). Doable but a bit of overhead. We should implement it when it worths to back the out-of-band use cases need.
• As an alternative, we have introduced /iam/ mirrored endpoints for those App that deployed within our AWS accounts to be able to consume Portal APIs AWS-natively.
• Portal CLI or umccr CLI would be another alternate for local interactive use case -- whereas
  • umccr portal login to facilitate Cognito OAuth login flow;
  • then follow by umccr portal token new and umccr portal token details
  • etc.. see relevant Trello card for more discussion

[victorskl]

So far, /iam solution that comes with #378 work well.
Usage is documented in Portal doc as well.
https://github.com/umccr/data-portal-apis/tree/dev/docs

Peter find that curl is also supporting aws-sigv4 signing.

Some examples as follows.

Login

export AWS_PROFILE=prod
aws sso login

Export tokens

yawsso -p prod -e | yawsso decrypt | source /dev/stdin

Export region

export AWS_REGION=ap-southeast-2

Then, curl like so:

curl -s --request GET \
  "https://api.portal.prod.umccr.org/iam/lims?subject_id=SBJ01651" \
  --aws-sigv4 "aws:amz:${AWS_REGION}:execute-api" \
  --user "${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}" \
  --header "x-amz-security-token: ${AWS_SESSION_TOKEN}" \
  --header 'Accept: application/json' | jq

curl -s \
  "https://api.portal.prod.umccr.org/iam/workflows?end_status=Succeeded&rowsPerPage=2&type_name=bcl_convert" \
  --aws-sigv4 "aws:amz:${AWS_REGION}:execute-api" \
  --user "${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}" \
  --header "x-amz-security-token: ${AWS_SESSION_TOKEN}" \
  --header 'Accept: application/json' | jq 

---

Or, use awscurl like so:

pip install awscurl

awscurl -H "Accept: application/json" --profile prod --region ap-southeast-2 "https://api.portal.prod.umccr.org/iam/workflows?rowsPerPage=2&type_name=bcl_convert&end_status=Succeeded" | jq

---

Hence, we use this as acceptable solution for now, without needing any specific API key or so.

Closing.