[@aws-cdk/aws-apigatewayv2] support authorizers for HTTP API #10534
Comments
Hugodby
added
feature-request
github-actions
bot
added
the
@aws-cdk/aws-apigatewayv2
|
At the moment, we have no support for authorizers in APIGatewayV2. Marking this as a feature request for authorizers. |
nija-at
changed the title
nija-at
added
effort/medium
|
@nija-at what about Cognito authorizer? |
|
Working on this. Got something working, but you can't use L1 constructs as props, so I have to implement the Authorizer construct first. |
Will this include IAM authorizer? |
|
|
@lielran new apiGw.CfnAuthorizer(this, 'IAM Authorizer', {
apiId: httpApi.httpApiId,
authorizerType: 'AWS_IAM',
identitySource: ['$request.header.Authorization'],
name: 'IAM Authorizer'
})I get |
|
any updates on adding authorizer to http api route? |
|
below code works for me. (on cdk 1.83+) interface RouteProps {
api: apigwv2.IHttpApi
authorizerType?: 'JWT' | 'AWS_IAM'
authorizerId?: string
routeId: string
path: string
method: apigwv2.HttpMethod
handler: lambda.IFunction
}protected addRoute(props: RouteProps) {
if (props.authorizerType === 'JWT' && props.authorizerId === undefined) {
throw Error('JWT authorizer requires authorizerId')
} else if (props.authorizerType === 'AWS_IAM' && props.authorizerId !== undefined) {
throw Error('IAM authorizer can not be configured with authorizerId')
}
const integration = new integrations.LambdaProxyIntegration({ handler: props.handler })
const route = new apigwv2.HttpRoute(this, `${props.routeId}Route`, {
httpApi: props.api,
routeKey: apigwv2.HttpRouteKey.with(props.path, props.method),
integration,
})
const routeCfn = route.node.defaultChild as apigwv2.CfnRoute
routeCfn.authorizationType = props.authorizerType
routeCfn.authorizerId = props.authorizerId
} |
|
Sorry for the long pause guys! Will try to wrap up the PR this weekend. |
@haandol Does this mean this workaround doesn't work for the IAM authorizer case or that it just needs to be left undefined? (To attach an IAM authorizer with your addRoute above -- Guess I'm about to find out as I dig in) |
Same. It looks like |
import * as cdk from '@aws-cdk/core'
import * as lambda from '@aws-cdk/aws-lambda'
import * as apigwv2 from '@aws-cdk/aws-apigatewayv2'
import * as integrations from '@aws-cdk/aws-apigatewayv2-integrations'
interface RouteProps {
api: apigwv2.IHttpApi
authorizerType?: 'JWT' | 'AWS_IAM'
authorizerId?: string
routeId: string
path: string
method: apigwv2.HttpMethod
handler: lambda.IFunction
}
export abstract class BaseApiStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props)
}
protected addRoute(props: RouteProps) {
if (props.authorizerType === 'JWT' && props.authorizerId === undefined) {
throw Error('JWT authorizer requires authorizerId')
} else if (props.authorizerType === 'AWS_IAM' && props.authorizerId !== undefined) {
throw Error('IAM authorizer can not be configured with authorizerId')
}
const integration = new integrations.LambdaProxyIntegration({ handler: props.handler })
const route = new apigwv2.HttpRoute(this, `${props.routeId}Route`, {
httpApi: props.api,
routeKey: apigwv2.HttpRouteKey.with(props.path, props.method),
integration,
})
const routeCfn = route.node.defaultChild as apigwv2.CfnRoute
routeCfn.authorizationType = props.authorizerType
routeCfn.authorizerId = props.authorizerId
}
}export class AdminStack extends BaseApiStack {
...
this.addRoute({
api: props.api,
authorizerType: 'JWT',
authorizerId: props.authorizerId,
routeId: 'AdminPresignUrlClothes',
path: '/admin/clothes/upload',
method: apigwv2.HttpMethod.GET,
handler: adminClothes.presignUrlClothesFunction,
})
this.addRoute({
api: props.api,
authorizerType: 'AWS_IAM',
routeId: 'AdminUpdatelothes',
path: '/admin/clothes',
method: apigwv2.HttpMethod.PUT,
handler: adminClothes.updateClothesFunction,
})
}
here is my whole |
|
@iRoachie and @haandol Thank you! I was just arriving there after trying to apply the work around and reading the docs; definitely getting a bit confused with the two different authorizerType's (one on the authorizer and one on the route) :| Was hoping to have some shiny L2 support to utilize but looks like I'm mostly there re: the bits to add. |
…10972) Part 1 of the work needed to make #10534 happen. - Also not sure if a partial L2 is possible as I didn't implement all the properties. - Also not sure if I should rename it to just `Authorizer` (wasn't sure if it clashed with v1 authorizers) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Hey all, we just merged #10972 which introduces support for JWT authorizers, and a convenience cognito user pool authorizer. Just the |
|
Would this allow us to add the authorizer to the $default route? Currently we have an api with just $default route defined, and using the console manually add the JWT authorizer. Would be good to be able to do this via the cdk, but can't see a way of setting it on default integration? |
|
Edit: This isn't possible yet |
|
Hi @iRoachie , Note: Using aws-cdk I am trying to implement the "REQUEST" authorizer type and I cannot get to work properly. export class CustomHttpApi extends apigatewayv2.HttpApi {
public readonly authorizer: apigatewayv2.CfnAuthorizer;
constructor(scope: cdk.Construct, id: string, props?: CustomHttpApiProps) {
const region = props?.region || "us-east-1";
const lambdaAuthorizerUri = `arn:aws:apigateway:${region}:lambda:path/2015-03-31/functions/${props?.lambdaAuthorizerArn}/invocations`;
// ========================================================================
// Resources: HTTP API
// ========================================================================
// Initialization
super(scope, id, {
description: props?.description,
apiName: props?.apiName
});
// ========================================================================
// Resources: HTTP Authorizer
// ========================================================================
this.authorizer = new apigatewayv2.CfnAuthorizer(
this,
"lambda-header-authorizer",
{
apiId: this.httpApiId,
authorizerPayloadFormatVersion: "2.0",
authorizerResultTtlInSeconds: cdk.Duration.seconds(120).toSeconds(),
authorizerType: "REQUEST",
enableSimpleResponses: true,
authorizerUri: lambdaAuthorizerUri,
identitySource: ["$request.header.Authorization"],
name: "token-authorizer",
}
);
}
public addLambdaRoute(props: {
lambdaFn: lambda.Function;
method: HttpMethod;
path: string;
protected: boolean;
}) {
// Step 1: Add the Lambda Handler Proxy Integration
const integration = new LambdaProxyIntegration({
handler: props.lambdaFn,
payloadFormatVersion: PayloadFormatVersion.VERSION_2_0,
});
// Step 2: Add the Route
const route = new apigatewayv2.HttpRoute(
this,
`route-lambda-${props.lambdaFn.node.id}`,
{
httpApi: this,
integration: integration,
routeKey: apigatewayv2.HttpRouteKey.with(props.path, props.methods[0]),
}
);
if (props.protected) {
route.node.children.map((child) => {
const routeCfn = route.node.defaultChild as apigatewayv2.CfnRoute;
routeCfn.authorizationType = this.authorizer.authorizerType;
routeCfn.authorizerId = this.authorizer.ref;
});
}
}The Authorizer is deployed properly but it is not attached to any of the APIs. Am I missing anything? Any help is greatly appreciated. |
…ws#10972) Part 1 of the work needed to make aws#10534 happen. - Also not sure if a partial L2 is possible as I didn't implement all the properties. - Also not sure if I should rename it to just `Authorizer` (wasn't sure if it clashed with v1 authorizers) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Anything in the works for the REQUEST authorizer bit to look at? About to revisit adding such AUTH to an API; could align with whatever might be in the works etc. /me starts by looking at previous merge request as it was mentioned "but the framework should be set to add in IAM after." |
|
Thank you; that helps re: - Lambda Authorizers I'm trying to use the built in AWS_IAM authorizationType -- which as you mentioned before isn't an authorizer and so perhaps is out of scope for this ticket? It seems like this higher level construct could support it and have it translate to setting the right bits for the built in case. It's looking like the following is all I need to add to the route re: AWS_IAM case: ... basically this bit: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-access-control-iam.html And then separately add the IAM policies: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html |
|
@eikeon Oh okay I see what you mean now. Apologies if I was confused earlier. It should be relatively easy to add in another PR. |
No worries; thank you for all the PRs! 🎉 |
|
Now to figure out is there's a way to set |
|
I'm finding that HttpJwtAuthorizer isn't working as the defaultAuthorizer for an HTTP API. Example: With this config, if I open the root URL (/) in my browser, I get a 401 error. But if I try any other URL, there is no authorization. Also when I deployed without the addRoutes config, there was no authorizer visible in the console but after I did addRoutes, it appears. |
Second part of #10534 Had to make small changes to `authorizerType` that route expects, since Route and Authorizer enums are not the same. See #10534 (comment). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
commit 35a6202 Author: Ben Chaimberg <chaimber@amazon.com> Date: Tue May 18 10:18:39 2021 -0700 move supported conditions to function-base and minor name changes commit 7c6c217 Author: Ben Chaimberg <chaimber@amazon.com> Date: Mon May 17 20:23:55 2021 -0700 remove extraneous whitespace commit 02cf427 Author: Ben Chaimberg <chaimber@amazon.com> Date: Mon May 17 17:31:01 2021 -0700 add conditions snippet to README commit 8ebf049 Author: Ben Chaimberg <chaimber@amazon.com> Date: Mon May 17 17:22:25 2021 -0700 format README commit af2be84 Merge: ea53bcc 8856482 Author: Ben Chaimberg <chaimber@amazon.com> Date: Mon May 17 17:19:14 2021 -0700 Merge branch 'master' of github.com:aws/aws-cdk into chaimber/lambda_perm_cond commit ea53bcc Merge: 988b66c 1a695e2 Author: Ben Chaimberg <chaimber@amazon.com> Date: Mon May 17 17:16:10 2021 -0700 Merge branch 'chaimber/lambda_perm_cond' of github.com:aws/aws-cdk into chaimber/lambda_perm_cond commit 988b66c Author: Ben Chaimberg <chaimber@amazon.com> Date: Mon May 17 17:10:48 2021 -0700 add documentation for Permission to README commit 8856482 Author: Elad Ben-Israel <benisrae@amazon.com> Date: Mon May 17 23:19:30 2021 +0300 chore: set license of eslint-plugin-cdk (#14720) Fixes #14594 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit b70a5fa Author: Carter Van Deuren <carterv@users.noreply.github.com> Date: Mon May 17 11:29:47 2021 -0700 docs(kinesis): correct grantRead and grantWrite comments (#14707) This commit swaps the comments for `grantRead` and `grantWrite` so that the comments match the permissions being granted. No extra verification was done for this change, as it only effects comments. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit f65d826 Author: Jared Short <jaredlshort@gmail.com> Date: Mon May 17 13:38:57 2021 -0400 docs(stepfunctions-tasks): fix integration patterns of step-function-task docs (#14722) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 50d486a Author: Adam Wong <55506708+wong-a@users.noreply.github.com> Date: Mon May 17 10:12:49 2021 -0700 feat(stepfunctions): Add support for ResultSelector (#14648) ### Description Adds support for `ResultSelector`. [ResultSelector](https://docs.aws.amazon.com/step-functions/latest/dg/input-output-inputpath-params.html#input-output-resultselector) was added to ASL in August 2020 and is currently missing coverage in CDK. This change exposes a new `resultSelector` field to Task, Map, and Parallel state props. This is a JSON object that functions similarly to `Parameters` but where `$` refers to the state's raw result instead of the state input. This allows you to reshape the result without using extra Pass states. The implementation mimics what exists for Parameters. I'm not convinced we need extra types here. #### Example ```ts new tasks.LambdaInvoke(this, 'Invoke Handler', { lambdaFunction: fn, resultSelector: { lambdaOutput: sfn.JsonPath.stringAt('$.Payload'), invokeRequestId: sfn.JsonPath.stringAt('$.SdkResponseMetadata.RequestId'), staticValue: 'foo', }, }) ``` Which produces the following ASL: ```json { "Type": "Task", "Resource": "arn:aws:states:::lambda:invoke", "Parameters": { "FunctionName": ${functionName}, "Payload.$": "$" }, "ResultSelector": { "lambdaOutput.$": "$.Payload", "invokeRequestId.$": "$.SdkResponseMetadata.RequestId", "staticValue": "foo", }, "Next": ${nextState} } ``` ### Testing * Unit tests for Map, Task, and Parallel states to include `resultSelector` * Unit test with ResultSelector for `LambdaInvoke` state updated to include `resultSelector` * Updated LambdaInvoke integ test to use ResultSelector for one of the states. Executed state machine manually through the AWS console to ensure the example actually works too. Closes #9904 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 4da78f6 Author: Kyle Roach <kroach.work@gmail.com> Date: Mon May 17 12:45:39 2021 -0400 feat(apigatewayv2): http api - lambda authorizer (#13181) Second part of #10534 Had to make small changes to `authorizerType` that route expects, since Route and Authorizer enums are not the same. See #10534 (comment). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 49d18ab Author: Austin Yattoni <austinyattoni@gmail.com> Date: Mon May 17 11:18:49 2021 -0500 fix(lambda): unable to access SingletonFunction vpc connections (#14533) fixes #6261 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 8154e91 Author: Nick Lynch <nlynch@amazon.com> Date: Mon May 17 15:29:02 2021 +0100 chore: skip Go proxy for lambda-go integ tests (#14727) Privacy-conscious users and/or organizations may choose to skip sending all package requests to the Google proxy (as is default). Some corporate environments may block network access to proxy.golang.org altogether. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 3bca822 Author: Nick Lynch <nlynch@amazon.com> Date: Mon May 17 11:47:57 2021 +0100 chore(msk): add ignore-assets pragma to cluster integ test (#14725) The MSK module relies on custom resources, which in turn create a Lambda function with assets. The way the current (lerna/yarn) build works includes the .ts file (as well as the .d.ts and .js) files in the asset bundle. Using the new `nozem` build (correctly) only includes the .d.ts and .js files, leading to a different asset hash. Since we don't care about the actual hash anyway, adding the ignore-assets pragma so this test can pass with either build tool. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit fb0977a Merge: 1effc9f df89694 Author: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Date: Sat May 15 00:59:26 2021 +0000 chore(merge-back): 1.104.0 (#14708) See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/1.104.0/CHANGELOG.md) commit df89694 Merge: 44d3383 1effc9f Author: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Date: Sat May 15 00:33:23 2021 +0000 Merge branch 'master' into merge-back/1.104.0 commit 1effc9f Author: Hsing-Hui Hsu <hsinghui@amazon.com> Date: Fri May 14 15:18:14 2021 -0700 docs(ecs): add contributing guide (#14672) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 44d3383 Merge: bc13a66 aaa0d05 Author: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Date: Fri May 14 21:59:31 2021 +0000 chore(release): 1.104.0 (#14706) See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/1.104.0/CHANGELOG.md) commit aaa0d05 Author: Neta Nir <neta1nir@gmail.com> Date: Fri May 14 14:33:52 2021 -0700 Update CHANGELOG.md commit 0328b03 Author: AWS CDK Team <aws-cdk@amazon.com> Date: Fri May 14 21:30:07 2021 +0000 chore(release): 1.104.0 commit 348e11e Author: Madeline Kusters <80541297+madeline-k@users.noreply.github.com> Date: Fri May 14 14:27:19 2021 -0700 fix(ecs): Classes FargateService and Ec2Service have no defaultChild (#14691) * fix(ecs): Class FargateService has no defaultChild fixes #14665 * update unit tests commit 1a695e2 Merge: 84045fd d82de05 Author: Ben Chaimberg <chaimber@amazon.com> Date: Fri May 14 11:45:50 2021 -0700 Merge branch 'master' into chaimber/lambda_perm_cond commit d82de05 Author: Bryan Pan <bryanpan342@gmail.com> Date: Thu May 13 08:48:46 2021 -0700 chore(appsync): rds data source service integration with grantDataApi (#14671) Utilize the `grantDataApi` from RDS to complete service integration. Fixes: #13189 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 8296623 Author: Hsing-Hui Hsu <hsinghui@amazon.com> Date: Thu May 13 08:22:23 2021 -0700 test(ecs-patterns): update l3 fargate integ tests (#14668) This adds integ tests for NLB fargate services -- previously, there were duplicate ALB fargate services being spun up. Also gives integ test stacks unique names. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit b240f6e Author: Nick Lynch <nlynch@amazon.com> Date: Thu May 13 14:21:05 2021 +0100 feat(cloudwatch): GraphWidget supports period and statistic (#14679) Dashboard metric widgets support overridding/setting both period and stat on the widget as a whole. This is often useful in combination with `MathExpression` metrics. Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/CloudWatch-Dashboard-Body-Structure.html#CloudWatch-Dashboard-Properties-Metric-Widget-Object ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 3063818 Author: Madeline Kusters <80541297+madeline-k@users.noreply.github.com> Date: Thu May 13 02:29:45 2021 -0700 fix(events-targets): circular dependency when adding a KMS-encrypted SQS queue (#14638) fixes #11158 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 9d97b7d Author: Mitchell Valine <valinm@amazon.com> Date: Thu May 13 02:01:08 2021 -0700 chore: init templates use node jest environment (#14632) Remove usage of the `jsdom` test environment in init templates to speed up unit testing by default. Testing: ran cdk init --language=(typescript|javascript) against local build of CLI then ran yarn test to verify that the testing config was valid and jest correctly used the node environment. fix: #14630 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 282d242 Author: Adam Ruka <adamruka@amazon.com> Date: Thu May 13 00:37:33 2021 -0700 chore(custom-resources): import the AWSLambda package explicitly (#14643) When linking the aws-cdk repository to a CDK app using the `link-all.sh` script, if the app uses `ts-node`, the Lambda code in the @aws-cdk/custom-resources package gets picked up by the TypeScript compiler. That code relied on the `aws-lambda` package being implicitly available, but that would cause `ts-node` to fail. Add an explicit import of it in the code - I checked the only difference in the generated JS code is the sourceMappingUrl, so it shouldn't make a difference at runtime, but allows `ts-node` to load that file successfully. Fixes #11627 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* commit 9a4d624 Author: Oliver Bowman <oliverbowman@protonmail.com> Date: Thu May 13 07:40:55 2021 +0100 docs(lambda-nodejs): Example for esbuild missing comma in property (#13520) ---- Example under esbuild appears to be missing comma. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
@iRoachie Looks good and +1 for the CDK doc linking to the relevant documentation re: some examples. Looks like I'l be able to retire my workaround soon. Thank you! PS: One thing I've run across -- how to apply an HttpIamAuthorizer to the default route? |
|
I'm running into an issue too where I'm unable to set the |
…authorizer (#14904) The default authorizer worked by passing the authorizer config to routes in the api by the addRoutes method. We completely forgot about the use case of the default integration, so currently using default integration + default authorizer does not create an authorizer. This PR fixes the bug and allows using default authorizer + default integration as expected. Reported by #10534 (comment) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
@computerwizjared @jeznag the fix just landed in master. Should be available in the next release. |
As far as I can tell there's no way to set this for the default route case yet? (and am unsure if CloudFormation underneath supports it) |
|
@eikeon waiting on review for #14853 The default case is handled - https://github.com/aws/aws-cdk/pull/14853/files#diff-bd5f262e88889ac7224d414c05765806bf9a20d2c12d45f6db521f2d4c05f8ebR29-R46 |
Second part of aws#10534 Had to make small changes to `authorizerType` that route expects, since Route and Authorizer enums are not the same. See aws#10534 (comment). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…authorizer (aws#14904) The default authorizer worked by passing the authorizer config to routes in the api by the addRoutes method. We completely forgot about the use case of the default integration, so currently using default integration + default authorizer does not create an authorizer. This PR fixes the bug and allows using default authorizer + default integration as expected. Reported by aws#10534 (comment) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Closing this overall issue since we have a few authorizers built. @iRoachie - let's open separate issues per authorizer going forward. |
|
Fixes #15123 See also: [@nija-at's comments on `grantInvoke`](#14853 (comment)), #10534 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes aws#15123 See also: [@nija-at's comments on `grantInvoke`](aws#14853 (comment)), aws#10534 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I want to be able to add an authorizer when calling the addRoutes method. Similar to what is done in the apigateway construct: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.MethodOptions.html
Use Case
There are no straightforward to add an authorizer on HTTP API routes. This is an important security feature. Workaround are already available in blogposts: https://dev.to/martzcodes/token-authorizers-with-apigatewayv2-tricks-apigwv1-doesn-t-want-you-to-know-41jn
Proposed Solution
One solution would be to add an
authorizerproperty on theaddRoutesmethod:This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: