New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS HTTP API: Support IAM and Lambda authorizers #8210
Comments
@jack1902 great thanks for report, we definitely should have that! Before we jump into PR, it'll be good to outline on how configuration settings should be defined and how they should translate to CloudFormation template. It might be also wise to tackle those two authorizes with two different PR's |
@medikoo Agree on tackling the two authorizers as two seperate PRs. I believe this is the underlying resource for the |
@medikoo could it not be exactly the same as the normal config for REST apis? At least for the lambda version. |
I've tried to use it directly the last week or so, and even though the documentation says its identical to rest APIs, the actual process to restrict invoke by IAM is different (for one it's not attached as a resource policy to the api gateway). |
I believe we now need to differentiate authorizers, so we should introduce
|
Hi guys. |
@viniciusvasti do you know if these resources are available in Cloudformation? Since until a resource is available in Cloudformation, Serverless is powerless to do anything in regards to supporting it |
@jack1902 The Cloudformation resource AWS::ApiGatewayV2::Authorizer allows at least Lambda Authorizers, see AuthorizerType: REQUEST and AuthorizerUri properties. At the moment we are creating the Authorizer itself as a resource through Serverless and attach it to the route with an ApiGatewayV2.updateRoute call in an output handler triggered by the serverless-output plugin. |
That's pretty smart! |
@jansinger could you provide an example, pls? it would be helpful for me to do the same:) at least as temporary solution |
@eshikerya sure Source code for serverless.yamlserverless.yaml (only relevant parts)
Source code for output.jsoutput.js
|
Hi guys, |
@TheMechanic we're grouping implementation spec now, and questions asked here: #8210 (comment) remain pending |
This is really biting my project. Where is the discussion being held on the comment and implementation spec? |
How does output.js get run? I can't see how that fits with serverless-output? |
Look at |
Keen for an update on this one too |
Any updates on this? Is there a branch or fork with the proposed implementation? |
Hello folks, thanks to everyone for your patience on this one. Unfortunately, due to other ongoing tasks, this initiative didn't get proper attention, but we're aiming to change that. Below I present an implementation proposal for both IAMCurrently, when using JWT authorizer, it first has to be defined in functions:
create:
handler: posts.create
events:
- httpApi:
path: /posts/create
method: post
authorizer: aws_iam or alternatively, but I think we should first stick to the above version functions:
create:
handler: posts.create
events:
- httpApi:
path: /posts/create
method: post
authorizer:
type: aws_iam Implementation should correctly assign
Corresponding REST API Implementation (could be used as inspiration as the mechanism is similar): https://github.com/serverless/serverless/blob/master/lib/plugins/aws/package/compile/events/apiGateway/lib/method/index.js#L66 LambdaAt the moment, Authorizer for HTTP API does not support The proposed structure could look like the following: provider:
httpApi:
authorizers:
someLambdaAuthorizer:
type: request
name: <name-of-authorizer-function> (mutually exclusive with 'arn')
arn: <arn-of-existing-lambda-function> (mutually exclusive with 'name')
managedExternally: true (Optional)
identitySource: <...> (Optional)
resultTtlInSeconds: 0 (Optional)
enableSimpleResponses: true (Optional)
payloadVersion: 2.0
functions:
create:
handler: posts.create
events:
- httpApi:
path: /posts/create
method: post
authorizer:
name: someLambdaAuthorizer The implementation should correctly construct
For reference on how the underlying resource should be constructed, please refer to the CloudFormation documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-authorizer.html We're looking for your feedback on the above proposal 🎉 After we'll finalize the implementation approach, we'd be more than happy to accept a PR for either of the authorization methods. 🙇 Otherwise, I plan to work on the actual implementation in the upcoming weeks, depending on other priorities. Thanks everyone 🙇 |
I'd love to hear your opinion on this one @medikoo 🙇 |
@pgrzesik thank you. Proposal looks great to me! I have just one minor doubt about Currently string notation for I think it'll be more solid if we support IAM authorizer by second proposed notation, so: functions:
function:
events:
- httpApi:
authorizer:
type: "iam" Such configuration at least, shouldn't leave a doubt on what we're configuring |
Thanks @medikoo - that's a great point and suggestion - being more explicit here is definitely a better choice as the "short" version is ambiguous. I had a problem with |
Looks pretty good. A few questions:
|
Hello @ranneyd - great questions!
|
@pgrzesik thank you!
This is all great. Looking forward to it! |
Thanks for your feedback @ranneyd 🙇 I've updated the proposal to include |
@pgrzesik Implementation within the yaml so far looks good 🚀. Thanks for keeping my original post up to date |
Thank you @jansinger , this seemed to work and is a lifesaver for me! In our case I wanted to make sure that the authorizer was attached to all routes, so I modified the output.js file for this case (I also had a credentials issue, so I changed that too). I also had to const AWS = require('aws-sdk');
async function handler({ profile, region, apiId, customAuthorizerId }) {
AWS.config.credentials = new AWS.SharedIniFileCredentials({ profile: profile });
const apiGw = new AWS.ApiGatewayV2({ region: region });
const routesResponse = await apiGw.getRoutes({
ApiId: apiId
}).promise();
const routesToUpdate = routesResponse.Items.filter(route => !route.AuthorizerId);
console.log(`Attaching authorizer to ${routesToUpdate.length} routes`);
if (routesToUpdate.length) {
const updateActions = routesToUpdate.map(route => apiGw.updateRoute({
ApiId: apiId,
RouteId: route.RouteId,
AuthorizationType: 'CUSTOM',
AuthorizerId: customAuthorizerId
}).promise());
const routeNames = routesToUpdate.map(route => route.RouteKey);
console.log(routeNames.join('\n'));
await Promise.all(updateActions);
console.log("Success!");
}
}
module.exports = { handler }; |
following. this support is absolutely necessary |
@mdrijwan What is missing for you? Support for this has been released a long time ago |
hey @pgrzesik - mine is failing too despite following the docs exactly at: https://www.serverless.com/framework/docs/providers/aws/events/http-api My yml:
But I keep getting that identitySources couldnt be null. So when I add it in I think get this:
Been staring at this for the last several hours and I don't know what I'm doing wrong. Please advise! I just need to create a simple lambda authorizer |
Hello @AdamAH - make sure you're using the latest version of the Framework - what version are you on? Could you please post a reproducible example and output of |
👍 and please do that in a separate issue as a bug report to avoid pinging the 15 other participants in this old discussion. |
Gotcha - i was on 1.83.3 - this was from the boilerplate apps created when i setup project a month ago (ts + http API). I updated it to I tried installing serverless offline to test but nothing everything is fine here. Not sure how to debug this without impacting the environment |
ah sorry will re-paste text in a new issue |
Where should be put the permission for the API Gateway to call the lambda authorizer? |
Use case description
AWS have announced support for an IAM or lambda authorizer on the HTTP API (much like the API Gateway ones)
https://aws.amazon.com/about-aws/whats-new/2020/09/api-gateway-http-apis-now-supports-lambda-and-iam-authorization-options/
Proposed solution
Use the same logic from the Rest API (API Gateway) for the HTTP API resource creation
Implementation proposal (in progress)
IAM
Currently, when using JWT authorizer, it first has to be defined in
provider.httpApi.provider
section. AsAWS_IAM
is not its own configurable Authorizer, there is no point in declaring it in the above section and we could reuse the same pattern as forhttp
event (REST API):or
Implementation should correctly assign
AuthorizationType
forAWS::ApiGatewayV2::Route
resource:serverless/lib/plugins/aws/package/compile/events/httpApi.js
Line 198 in f5174ff
Corresponding REST API Implementation (could be used as inspiration as the mechanism is similar): https://github.com/serverless/serverless/blob/master/lib/plugins/aws/package/compile/events/apiGateway/lib/method/index.js#L66
Lambda
At the moment, Authorizer for HTTP API does not support
TOKEN
, but onlyREQUEST
type for custom Lambda authorizers (see CloudFormation docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-authorizer.html#cfn-apigatewayv2-authorizer-authorizertype). When using such authorizer, we should support a similar approach as forJWT
, with definition of an authorizer inprovider.httpApi.authorizers
.The proposed structure could look like the following:
The implementation should correctly construct
AWS::ApiGatewayV2::Authorizer
during events compilation, similarly to how it's currently done forJWT
authorizer:serverless/lib/plugins/aws/package/compile/events/httpApi.js
Line 172 in f5174ff
For reference on how the underlying resource should be constructed, please refer to the CloudFormation documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-authorizer.html
The text was updated successfully, but these errors were encountered: