New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS API Gateway: Lack of support for CF intrinsic functions at functions[].events[].http.authorizer.arn
#3212
Comments
Similar issue: Other project that want to use that authorizer
This yields the same problem as the naming cannot be determined from this. Only other option is to hardcode the ARN for now. |
@eahefnawy @pmuens This is a similar issue as the arn parsing in the stream arns. I think we need a general arn parser function somewhere that is capable to I suggest to have one parseArn() function in serverless.utils that would be used from everywhere. In my plugin I used a very generic function for that:
Given a root object (in this case the arn: object) it will return an array of all contained references (including those contained within GetAtt) with their path. You can use _.get(root, refPath) to access the ref object or just use the returned refs (which are the logical resource ids). Can someone link the other issue as related here? |
@HyperBrain love the idea of having a central ARN parser! What do you think about opening up a separate issue for this. Or should we rename this one? This implementation will also be affected by the ARN parser: #3111 (comment) |
@pmuens I think we should open a separate issue and link all existing arn parser exception issues there. Then it is clear for every single issue that it will be handled centrally. |
Link to #3212 (comment) as the s3 event bucket specification could also be a generic ARN as an alternative to create the bucket implicitly. This would make the s3 events much more flexible. |
Adding #3162 here (as brought up by @HyperBrain) |
Adding a good example brought up by @erikerikson in the context of step functions:
So the Arn parser should support the following declarations and parse them correctly:
Any additions are welcome. |
Thanks for updating @HyperBrain Here's the link to the comment mentioned above 🔝 --> #3024 (comment) |
Perhaps I'm missing something; but isn't this issue also about referencing resources from within the same stack? I have a cognito user pool in my Resources section, and I would like to reference it as an authorizer using Fn::GetAtt but the way the code is written today, this is not possible, right? ie this is no just for cross stack referencing, is it? Or is there a way of doing what i want that I'm missing? |
This task is for a general universal ARN parser that allows specifying references as ARN string, Fn::GetAtt, Ref or whatever notations there are to reference resources. It should unify the references, may it be event declarations or something else. |
Ok; and to be clear; right now there's no way to define a Cognito UserPool in the Resources section and then have the functions use events that auth against that newly created user pool, since there's no way to get to the ARN of that created pool; correct? |
As HyperBrain notes, ARN parser was the original thought this was created under (the stream attribute was used for both Kinesis and Dynamo streams) but it is definitely intended to be a generalized resource reference implementation. |
The reason for this is current inconsistency in the implementation. That sometimes you can use Ref or ImportValue, et cetera but not others. For a specific case, try it and see. |
@erikerikson comments are a pretty good summary of the purpose for the @jliebrand have you used the new |
@pmuens no, I wasn't aware of any cognito event source... What I do now is first deploy my stack with the functions having simply no authorizer at all... Then once the stack is deployed for each of my stages, I add these custom vars to the top of my yml:
And then add these authorizers:
This will obviously break if I ever remove and re-deploy a stack, so it's far from ideal |
Interesting solution. Thanks for sharing 👍 We've just added the |
Just chiming in to say a global ARN parser would be incredibly useful. With #3657 we can define user pools, but we can't reference their ARNs as Lambda authorizers. This unfortunately means either having to split a stack or deploy once without authorizers and then again after retrieving and setting the ARN 😞 |
I'm also happy it would implement this. |
Another interesting suggestion / feedback can be found here. |
Any reason not to add checks for
It works for my template, but not sure if there are edge cases that it may break. Happy to send a PR. @pmuens Doing a search on |
It doesn't work if you have several services where you wish to use the same authorizer. It gives me Is there a really simple way to share an authorizer? Cuz, for God's sake, it should be pretty basic! |
It works if you give a unique authorizer name to each service... which looks strange. |
functions[].events[].http.authorizer.arn
If I see correctly, this report signals two issues:
To solve latter, there's a call to introduce a global arn parser, and implenting such doesn't seem to be trivial. In other functionalities we handle any resolution from CF intrinsic functions case by case, and I think similar approach should be taken (if needed) here. However, when I looked closer, I've noticed that the only reason we try to inspect When support for custom authorizers was added, name was unconditionally assumed from passed arn, and that seems problematic (later it was improved, so we do not attempt to resolve if If I read correctly name is not a required property on AWS side: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html#cfn-apigateway-authorizer-name I believe right fix, is to drop the resolution of name whenever While, if for some reason we want to have name unconditional, then imo right fix would be to unconditionally require I've re-titled issue and updated top description. PR with a fix is welcome |
And the worst part is: if you name each authorizer you will reach AWS authorizers limit pretty soon |
After reaching AWS authorizers limit I had to make it work. Turns out that sls creates a CF resource for the authorizer lambda, but not for the authorizer itself(I guess it just creates the authorizer via API). This way I cant really export an actual authorizer from a service unless I create a CF for it. So... in the end I have two considerations about this whole situation:
|
This is a nasty issue!
When I add the type and the name, it only creates one authorizer for me --even if I provide the same name in multiple lamdba authorizer sections. I had to figure this out by diving into the source code :( |
I've investigated it a little bit and it seems like the @medikoo What do you think? About the issues that e.g. @OndeVai mentioned with his workaround - in order to support sharing authorizers cleanly between multiple functions, we would have to allow an option to define |
@pgrzesik very good point. I totally agree that's the way to go.
Yes, and we have a dedicated issue for that: #2887 (I've also added it now to our project, as I think it's worth addressing at some point) |
I've updated spec in top description with proposal, where we require |
Thank you - I'll continue with that approach 💯 |
Similar or dependent issues:
Additional Data
Proposed solution:
This report signals two issues:
1. Messed up error reporting (
functionArn.split is not a function
)No need to do anything here, as such errors will be handled neatly, once schema is configured for this event (see: #8018)
2. No support for CF intrinsic functions at
authorizer.arn
.See: #3212 (comment)
arn
is passed in object form, requirename
property (validate it's existence inline, at least it might be hard to validate it with schema, and receive human friendly error message).arn
is passed in string form and noname
is passed. deprecate name resolution with message that it won't be auto-resolved in next major and to have authorizer named,name
has to be explicitly set in configThe text was updated successfully, but these errors were encountered: