External

External Nodes are computationally remote from the EchoStream Cloud, and how you assign compute resources is completely up to you (e.g. - k8s pods, Docker containers, VM's, systemd, etc.). They can be used when your use case either doesn't know the implementation specifics or your implementation requirements don't fit into the Managed Node paradigm. For example, if you needed to allow a business partner to participate in your Tenant, you might create an External App/External Node to allow them to do this, without specifying exactly how they had to implement that External App/External Node.

External Nodes can be created in two kinds of Apps; External Apps and Cross Account Apps. See those Apps for details about their use and use cases.

External Nodes can be implemented in any language that you choose.

Python

EchoStream provides a Python package, echostream-node, to aid in implementations that use Python. This package does all of the administrative work for you, allowing you to focus on implementing the business logic of your Node. Using this package is best-practice for Python implementations, and is the method that EchoStream uses internally.

Other languages

If you choose a language other than Python, you must use your containing App User's credentials to obtain a JWT from EchoStream's Cognito IDP to enable access for your Node to the EchoStream API. How you accomplish this will be language/AWS SDK dependant.

Accessing the EchoStream resources

Once you have successfully logged in and obtained your JWT, the way that you access your External Node's EchoStream resources is dependant upon the type of App that your node is executing in.

External Nodes in an External App

When your External Node is part of an External App all access to your Node's EchoStream resources come from temporary AWS Credentials acquired by calling your App's ExternalApp.GetAwsCredentials API method. When you obtain your temporary AWS Credentials, you can specify a duration for those credentials between 900 seconds (15 minutes) and 43,200 seconds (12 hours). If not specified, your credentials will be valid for 3,600 seconds (1 hour).

NOTE - While you can specify 900 seconds, many of the AWS SDKs force a refresh when the credentials expiration is less than or equal to 15 minutes in the future, meaning you will always be retrieving new credentials!

Your implementation must then use those credentials to obtain a session with AWS and use that session to access your Node's EchoStream resources.

NOTE - Your AWS credentials will expire, and you must track this and refresh them. Some of the AWS SDKs provide a mechanism to dynamically refresh credentials; the exact mechanism is SDK specific.

External Nodes in a Cross Account App

When your External Node is part of a Cross Account App access to your Node's EchoStream resources is split. Cross Account Apps exist to provide a more intimate tie-in to your AWS account in order to allow for event-driven system architecture. To do this, EchoStream provides you with cross-account IAM permissions to access your Node's Edges and the KmsKeys that encrypt them. Your External Node's Cross Account App provides and IAM policy via the CrossAccountApp.iamPolicy attribute that you may use to enable resources in your AWS account that wish to be driven by messages arriving on your Edge.

NOTE - You must use the provided IAM policy or something similar to access your Node's Edges and KmsKeys, as Cross Account Apps provide no other access mechanism.

Normally, External Nodes in a Cross Account App will be implemented as AWS Lambda functions, but any AWS compute resource can be used.

For all other resources (i.e. - access to your Tenant's table), use the AWS credentials provided by CrossAccountApp.GetAwsCrendtials. This is exactly the same as if your External Node was part of an External App.