Comments (15)
marczis
commented on September 13, 2024
4
With cognito user pool I managed to use it like this: (no swagger here)
"Authorizer": {
"Type": "AWS::ApiGateway::Authorizer",
"Properties": {
"Type": "COGNITO_USER_POOLS",
"IdentitySource": "method.request.header.Auth",
"Name": "MagicAuthorizer",
"ProviderARNs": ["arn:aws:cognito-idp:eu-west-1:<ACCOUNT ID>:userpool/<POOL NAME>"],
"RestApiId": {
"Ref": "ServerlessRestApi"
}
}
so ProviderARNs is basically the arn of the userpool.
The only trick is the RestApiId, which is "generated" when transforming serverless function to cloudformation. I guess it will be always ServerlessRestApi.
Hope it helps someone.
edit: forum motor messes up the "code" section I don't know why... but it json, so you can copy... :/
edit2: because I lame, that's why. Fixed.
from serverless-application-model.
marczis
commented on September 13, 2024
4
Alto I hit the next wall, I can't assign this to the methods, as the serverless function does not support authorizer ? Or do I miss something here ?
from serverless-application-model.
sanathkr
commented on September 13, 2024
1
Checkout /examples/2016-10-31/api_swagger_cors for example on how to use Swagger with SAM API
from serverless-application-model.
mparaz
commented on September 13, 2024
1
I have Authorization working by specifying it in Swagger.
The tricky part is that it's necessary to explicitly permit it to be invoked by API Gateway. I used:
AuthorizerFunctionLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref Authorizerfunction
Action: lambda:InvokeFunction
Principal: apigateway.amazonaws.com
When I add an event to the authorizer function, to let SAM automatically creates the Permission, it looks like the permission isn't granted. I did:
AuthorizerFunction:
Type: AWS::Serverless::Function
Properties:
Events:
AuthorizerApiRoot:
Properties:
Method: GET
Path: /
RestApiId: !Ref ApiGatewayApi
Type: Api
Handler: authorizer.handler
Role: arn:aws:iam::570723136177:role/LambdaExecutionRole
Runtime: nodejs4.3
But when I try this, in CloudWatch I see Invalid permissions on Lambda function.
I do see the permission created in CloudFormation.
from serverless-application-model.
beknal
commented on September 13, 2024
1
I think issue seem to be replacing dynamically generated lambda function name in swagger.yml file
uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:*********78:function:${stageVariables.LambdaFunctionName}/invocations
Works fine if we replace generated function name manually .
from serverless-application-model.
dinvlad
commented on September 13, 2024
I think this can be done through the Swagger template, just add the following sections, the first one either at the top level of the file, or for individual resources:
security:
- sigv4: []
securityDefinitions:
sigv4:
type: "apiKey"
name: "Authorization"
in: "header"
x-amazon-apigateway-authtype: "awsSigv4"
Also if you want a custom authorizer, try configuring it via the Console, then export the Swagger file with AWS extensions. The relevant sections will be in that file.
from serverless-application-model.
mparaz
commented on September 13, 2024
Now it stopped working. Using the API Gateway Authorizers console test:
Execution log for request test-request
Fri Dec 09 07:06:27 UTC 2016 : Starting authorizer: h2ur54 for request: test-request
Fri Dec 09 07:06:27 UTC 2016 : Incoming identity: testing123
Fri Dec 09 07:06:27 UTC 2016 : Execution failed due to an internal error
Fri Dec 09 07:06:27 UTC 2016 : Internal server error
When I type in the actual function name in the box and confirm giving the permissions, it works.
from serverless-application-model.
deathbob
commented on September 13, 2024
@sanathkr I have enabled iam auth on my resource but it doesn't seem to enable auth on the stage, which makes the api still public accessible. What am I doing wrong?
---
swagger: "2.0"
basePath: "/Prod"
schemes:
- "https"
paths:
/report:
get:
x-amazon-apigateway-auth:
type: aws_iam
responses: {}
x-amazon-apigateway-integration:
type: "aws_proxy"
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:<<my account id>>:function:${stageVariables.LambdaFunctionName}/invocations"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
info:
version: "1.0"
title: "dev-reporting-test"
from serverless-application-model.
deathbob
commented on September 13, 2024
Ah got it, as @dinvlad stated above. Not well documented anywhere I could find.
---
swagger: "2.0"
basePath: "/Prod"
schemes:
- "https"
paths:
/report:
get:
responses: {}
security:
- sigv4: []
x-amazon-apigateway-integration:
type: "aws_proxy"
uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:<< account id >>:function:${stageVariables.LambdaFunctionName}/invocations"
passthroughBehavior: "when_no_match"
httpMethod: "POST"
info:
version: "1.0"
title: "dev-reporting-test"
securityDefinitions:
sigv4:
type: "apiKey"
name: "Authorization"
in: "header"
x-amazon-apigateway-authtype: "awsSigv4"
from serverless-application-model.
dinvlad
commented on September 13, 2024
@deathbob, these are from the docs at http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions.html#api-gateway-swagger-extensions-authtype and http://swagger.io/specification/#securityRequirementObject
from serverless-application-model.
dinvlad
commented on September 13, 2024
Btw security: - sigv4: [] can be enabled globally by specifying it at the root of the document, if that's what you'd like: http://swagger.io/specification/#swaggerObject
from serverless-application-model.
sanathkr
commented on September 13, 2024
Closing this in favor of #49 as a feature request to add custom authorizers to implicit APIs
from serverless-application-model.
gergnz
commented on September 13, 2024
It seems you can reference your Authorizer @marczis in swagger e.g.:
...
"paths": {
"/services/rest/acls/{entityId}": {
"patch": {
"description": "do stuff.",
"consumes": [
"application/json"
],
"parameters": [],
"responses": {},
"security": [
{
"MagicAuthorizer": []
}
],
...
at least that's the export, but I can't seem to get it to work when deploying. Also noted that sam/cloudformation completely removed the APIGW Authorizer if I updated the inline swagger.
Not sure if this is a new bug, or I should re-open this one.
from serverless-application-model.
gergnz
commented on September 13, 2024
Spoke too soon: remove the Cloudformation, add it to the swagger resolves my issues:
securityDefinitions: {
'MagicAuthorizer': {
type: 'apiKey',
name: 'Authorization',
in: 'header',
'x-amazon-apigateway-authtype': 'cognito_user_pools',
'x-amazon-apigateway-authorizer': {
providerARNs: [
FnGetAtt(:cognitopool, 'Arn')
],
type: 'cognito_user_pools'
}
}
},
from serverless-application-model.
sparrowt
commented on September 13, 2024
See #546 which recently added support for Auth property on explicit/implicit Api resources, (see also api_lambda_*_auth examples here https://github.com/awslabs/serverless-application-model/tree/develop/examples/2016-10-31/)
from serverless-application-model.
Related Issues (20)
- Environment variables not updated HOT 5
- !If not working on Serverless:Function handler HOT 5
- how to configure KMSVerifyPolicy and KMSSignPolicy HOT 1
- Feature request: Git sync HOT 4
- Security: default permission allow any service to invoke a lambda function HOT 3
- Several tests fail with Pydantic 1.10.15 (latest 1.x) HOT 6
- (New Connector Profile) AWS Batch HOT 1
- EventInvokeConfig does not appear in processed template when following the spec HOT 3
- (New Connector Profile) AWS::ApiGateway::RestApi > AWS::Serverless::StateMachine HOT 1
- Bug: Lambda function (with alias) doesn't create a new version after its layer is updated, even if `AutoPublishAliasAllProperties` is set to `true` HOT 7
- Several tests fail with Pydantic 1.10.17 (latest 1.x) HOT 5
- Bug: No new Lambda Versions are deployed with Lambda configurations changes HOT 6
- Event sources do not invoke versioned state machines by their alias HOT 4
- Lambda layer code not updated in Lambda function during `sam sync` HOT 1
- SQS:*Batch permissions aren't vaild permissions HOT 2
- Can't use ForEach intrinsic function to define resources HOT 6
- Set Pydantic 2.* as possible dependency HOT 2
- Library usage and Default values
- AWS::Serverless::Api and AWS::Serverless::HttpApi have slightly different CORS origin property names
- Bug: Lambda function (with alias) doesn't create a new version after its layer is updated, even if `AutoPublishAliasAllProperties` is set to `true`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from serverless-application-model.