Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invoke with caller credentials always set when Authorizer = AWS_IAM #1708

Open
hashitha opened this issue Sep 10, 2020 · 3 comments
Open

Invoke with caller credentials always set when Authorizer = AWS_IAM #1708

hashitha opened this issue Sep 10, 2020 · 3 comments

Comments

@hashitha
Copy link

I have the following template (default Empty Serverless Application template from AWS Visual Studio Toolkit) that always sets the Invoke with caller credentials to true and Execution role = arn:aws:iam::*:user/* when Authorizer = AWS_IAM in the template. Is there any way I can remove the Execution role and set Invoke with caller credentials = false?

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Transform": "AWS::Serverless-2016-10-31",
  "Description": "An AWS Serverless Application.",
  "Resources": {
    "Get": {
      "Type": "AWS::Serverless::Function",
      "Properties": {
        "Handler": "AWSServerless6::AWSServerless6.Functions::Get",
        "Runtime": "dotnetcore3.1",
        "CodeUri": "",
        "MemorySize": 256,
        "Timeout": 30,
        "Role": null,
        "Policies": [
          "AWSLambdaBasicExecutionRole"
        ],
        "Events": {
          "RootGet": {
            "Type": "Api",
            "Properties": {
              "Path": "/",
              "Method": "POST",
               "Auth": {
                "ApiKeyRequired": true,
                "Authorizer": "AWS_IAM" 
            }
          }
        }
      }
    }
  },
  "Outputs": {
    "ApiURL": {
      "Description": "API endpoint URL for Prod environment",
      "Value": {
        "Fn::Sub": "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
      }
    }
  }
}

This may be related to #923

@yskkin
Copy link

yskkin commented Sep 23, 2020

  someFunc:
    Type: AWS::Serverless::Function
    Properties:
      Handler: dist/handlers/someFunc.index
      Events:
        Api:
          Type: Api
          Properties:
            Path: /foo/bar/{id}
            Method: POST
            Auth:
              Authorizer: AWS_IAM
              ResourcePolicy:
                # https://github.com/aws/serverless-application-model/issues/1708
                AwsAccountWhitelist:
                  - arn:aws:iam::111122223333:root

deploying this raises

CREATE_FAILED                                          AWS::ApiGateway::Deployment                            ServerlessRestApiDeploymente2518db414                  Caller provided credentials not allowed when
                                                                                                                                                                     resource policy is set (Service: AmazonApiGateway;
                                                                                                                                                                     Status Code: 400; Error Code: BadRequestException;
                                                                                                                                                                     Request ID: __REDACTED__;
                                                                                                                                                                     Proxy: null)

Removing Authorizer: AWS_IAM makes deployment successful, but it ruins resource policy since authrozer is not set.

@ben-elsen
Copy link

Is there any update on this yet?

@eliottparis
Copy link

As answered here, adding InvokeRole: NONE successfully removes the Execution role and unset the Invoke with caller credentials option that seems to be set by default when a AWS_IAM auth is used.

Api:
   Type: AWS::Serverless::Api
   Properties:
      Auth:
         DefaultAuthorizer: AWS_IAM
         InvokeRole: NONE
      ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants