apigateway: Can't set default authorization scopes when adding a proxy to a resource #29781
Assignees
Labels
@aws-cdk/aws-apigateway
Related to Amazon API Gateway
@aws-cdk/aws-lambda
Related to AWS Lambda
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p1
Comments
David-Jacobsen
added
bug
pahud
changed the title
github-actions
bot
added
the
@aws-cdk/aws-apigateway
|
I was not able to deploy this stack export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
// create a cognito user pool
const userPool = new cognito.UserPool(this, "UserPool", {
selfSignUpEnabled: true,
signInAliases: {
email: true,
},
});
const authorizer = new agw.CognitoUserPoolsAuthorizer(this, "Authorizer", {
cognitoUserPools: [userPool],
});
const api = new agw.RestApi(this, "Actions-ApiGateway", {
defaultCorsPreflightOptions: {
allowOrigins: agw.Cors.ALL_ORIGINS,
maxAge: Duration.days(10)
},
});
const root = api.root;
const sendResource = root.addResource(`InitiateAction`)
// prepare a dummy lambda function
const dummyhandler = getLambdaFunction(this);
const sendLambdaIntegration = new agw.LambdaIntegration(dummyhandler);
const sendProxy = sendResource.addProxy({
defaultIntegration: sendLambdaIntegration,
anyMethod: true,
defaultMethodOptions: {
authorizer: authorizer,
authorizationType: agw.AuthorizationType.COGNITO,
authorizationScopes: [`scope`],
},
defaultCorsPreflightOptions: {
allowOrigins: agw.Cors.ALL_ORIGINS,
allowMethods: agw.Cors.ALL_METHODS
}
})
}
}Error msg:
The synthesized template is having the resource which I believe is the root cause "ActionsApiGatewayInitiateActionproxyOPTIONS041B022A": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"ApiKeyRequired": false,
"AuthorizationScopes": [
"scope"
],
"AuthorizationType": "NONE",
"HttpMethod": "OPTIONS",
"Integration": {
"IntegrationResponses": [
{
"ResponseParameters": {
"method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'",
"method.response.header.Access-Control-Allow-Origin": "'*'",
"method.response.header.Access-Control-Allow-Methods": "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'",
"method.response.header.Access-Control-Max-Age": "'864000'"
},
"StatusCode": "204"
}
],
"RequestTemplates": {
"application/json": "{ statusCode: 200 }"
},
"Type": "MOCK"
},
"MethodResponses": [
{
"ResponseParameters": {
"method.response.header.Access-Control-Allow-Headers": true,
"method.response.header.Access-Control-Allow-Origin": true,
"method.response.header.Access-Control-Allow-Methods": true,
"method.response.header.Access-Control-Max-Age": true
},
"StatusCode": "204"
}
],
"ResourceId": {
"Ref": "ActionsApiGatewayInitiateActionproxyDD433460"
},
"RestApiId": {
"Ref": "ActionsApiGatewayF80386B7"
}
},
"Metadata": {
"aws:cdk:path": "dummy-stack/Actions-ApiGateway/Default/InitiateAction/{proxy+}/OPTIONS/Resource"
}
},For some reasons, cdk is adding It's not easy to work it around. Making this a p1 bug. |
pahud
added
p1
effort/medium
This was referenced Apr 15, 2024
1 task
mergify bot
pushed a commit
that referenced
this issue
May 10, 2024
…ognito (#30035) ### Issue # (if applicable) Closes #29781 ### Reason for this change Authorization scope is set even when the auth type is None. This will cause deployment failure >12:52:11 PM | CREATE_FAILED | AWS::ApiGateway::Method | ActionsApiGatewayI...oxyOPTIONS041B022A Resource handler returned message: "Invalid Method authorization type specified. Authorization Scopes are only valid for COGNITO_USER_POOLS authorization type (Servic e: ApiGateway, Status Code: 400, Request ID: f9c6357b-428e-42a8-884c-07b77939d165)" (RequestToken: bb8de2e9-37b7-ca15-9bd8-547bc7eea134, HandlerErrorCode: InvalidRequ est) ### Description of changes Check when auth type is not Cognito, set auth scope to none. Not a breaking change because original templates cannot deploy. ### Description of how you validated changes All existing and new tests pass. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When trying to add a Proxy to a Resource, you can't set the default authorization scopes because it attempts to set the authorization scopes to the OPTIONS method despite the OPTIONS method intentionally not having any authorizer.
This works, and creates an InitiateAction resource with a proxy using the Cognito Authorizer as the authorizer. But if I uncomment the authorizationScopes line then it fails because it tries to assign the authorizationScopes to the OPTIONS method.
Expected Behavior
default authorization scopes are only applied to non-OPTIONS methods
Current Behavior
default authorization scopes are applied to all methods, including OPTIONS, which causing the deployment to fail.
Reproduction Steps
Possible Solution
The generated cloud formation template shouldn't attempt to apply authorization scopes to the OPTIONS method.
Additional Information/Context
No response
CDK CLI Version
2.134.0 (build 265d769)
Framework Version
No response
Node.js Version
v18.19
OS
Mac OS 13.5.2 (22G91)
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: