[aws-apigateway] impossible to remove default method authorization #8827
Comments
erik-sab
added
bug
github-actions
bot
added
the
@aws-cdk/aws-apigateway
nija-at
added
p2
and removed
needs-triage
nija-at
changed the title
|
It does seem like we don't handle the aws-cdk/packages/@aws-cdk/aws-apigateway/lib/method.ts Lines 182 to 186 in 31d6e65 |
|
I’ve also noticed a similar issue trying to set I think || should be ??
|
IMHO it is not so simple, as we need to distinguish when Probably should be something like: Only not sure what is current default for |
|
@erik-telesoftas Hey I’m not sure I follow, that’s what ?? does, right? |
|
@mattsenior absolutely right, probably fool moon on top of my JS syntax ignorance ;) |
|
Of possibly related trouble is the inability to instruct a particular method not to use an authorizer, once defaultMethodOptions is set @nija-at |
|
Hi @nija-at, will there be any progress on this issue soon? As a workaround one could write an aspect that removes the authorizer from certain methods. Not beautiful, but would work. const excludedMethodIds: Method[] = [];
const aspect: IAspect = {
visit(node: IConstruct): void {
if (
node instanceof CfnMethod
&& !excludedMethodIds.find((rid) => rid === node.resourceId)
) {
delete node.authorizerId;
node.authorizationType = AuthorizationType.NONE;
}
},
};
Aspects.of(myStack).add(aspect); |
|
This issue (the |
|
facing the same issue as well with IAM: this is the part of code that does the check: and this is the test that covers it: I'm trying to understand the reason of enforcing all route to use the "default authorizer" while API Gateway does allow to have a route that uses Cognito and another one that uses IAM (eg. for internal services for example). I think the only check that makes sense to do is the one covered by this other test: |
|
Hello from 2023, I have the same problem :) |
|
@rix0rrr given this one is coming up on 3 years old it could probably use some eyeballs if just for confirmation. |
|
same |
RestApi has the ability to set the apiKeyRequired option for all methods via defaultMethodOptions. Setting this option on a method should override the value set in defaultMethodOptions, but it doesn't work. This commit fixes the behaviour and adds a test. Mentioned in aws#8827
|
@mattsenior @markcarroll submitted a PR for the apiKeyRequired here #25682.
|
RestApi has the ability to set the apiKeyRequired option for all methods via defaultMethodOptions. Setting this option on a method should override the value set in defaultMethodOptions, but it doesn't work. This commit fixes the behaviour and adds a test. Mentioned in #8827 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This didn't work for me. In the end, I had to set my API root's default authorization type to @nija-at: is there any plan to fix this? |
|
Hi @cupid-dev - I no longer work for the AWS CDK. Someone from the team will respond to you in due time. |
|
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
|
Any updates on this issue? |
|
As a workaround, you can use the CDK -> CloudFormation escape hatch. In Python, that looks like this: More details at #29658 |
|
+1 |
|
Doing this removes the authorizer for every route though. AWS CDK is the worst, very little documentation, very little support. This issue has been activer since July 2020???? |
### Issue # (if applicable) Closes #8827. ### Reason for this change Customers could not override the authorizer defined in the default method configuration if they want to set the authorization type to None. ### Description of changes If the customer set the authorization type to None while creating a new method, we will not use the authorizer value defined in the default configuration and instead we will set it to undefined. ### Description of how you validated changes added unit, and integration test cases. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
### Issue # (if applicable) Closes aws#8827. ### Reason for this change Customers could not override the authorizer defined in the default method configuration if they want to set the authorization type to None. ### Description of changes If the customer set the authorization type to None while creating a new method, we will not use the authorizer value defined in the default configuration and instead we will set it to undefined. ### Description of how you validated changes added unit, and integration test cases. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
It seems not possible to remove authorization for API Gateway methods if it is defined in
defaultMethodOptionsonRestApilevel.Reproduction Steps
First I create RestApi Gateway (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html) with custom authorizer set by default for all methods:
And then in resources stack I try to create documentation Method (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.Method.html) with security disabled:
Error Log
Environment
Other
It is still possible to override these setting as described in #8615
and then stack is created with correct Method-level security settings.
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: