feat(auth): add support for API Gateway Authorizers #546
Conversation
This is a WIP. Remaining: 1. Tests 1. Documentation 1. Examples 1. Additional end-to-end manual verification 1. Fixing some known edge cases (e.g. remove hanging NONE authorizers when no DefaultAuthorizer set)
| none_idx = -1 | ||
| authorizer_security = [] | ||
|
|
||
| # If this is the Api-level DefaultAuthorizer we need to check for an |
There was a problem hiding this comment.
This implementation isn't ideal. The existing order of operations is:
- Apply all Function Event configuration
- Apply API configuration
This makes it hard to apply a DefaultAuthorizer, especially when 'NONE' is defined on the Function Event. Current logic is to add a 'NONE' entry to the Swagger and then remove it when DefaultAuthorizer comes through. Similarly, DefaultAuthorizer won't be added if it detects an existing entry in security which matches a key defined in Api.Auth.Authorizers.
Ideally we would add DefaultAuthorizer first and then remove/override as needed, but I'd rather not complicate the order of operations (unless there's already precedent of that which I'm not aware of).
|
Is there anything new on this topic? Any ETA for authorizers? |
|
Currently working on the Cognito example, followed directly by tests. Then there's just a couple of documentation changes and we can merge this in. |
|
So do you have an idea when this will be available in production? |
This commit also includes a fix for Authorizers when using the ANY method as well as a fix for InlineCode (which this example uses) when used in combination with aws cloudformation package
|
As part of our policy, I can't comment on dates. I can say it will be "soon" after it is merged into develop |
|
Very excited for this feature. I'm not entirely sure where translation from SAM to CloudFormation occurs (whether it is sam-cli, client-side, or behind AWS's walls). Once this PR is merged into master, will it be immediately ready to use? This is my package and deploy script, which is called from CodePipeline/CodeBuild: |
|
It will be available once it is merged into Master. It's possible to use this on the client-side, but the aws managed transform service happens inside our "walls". We'll post an announcement on our #samdev slack channel as well as in other places when this feature is available from the the internal transform. |
|
This feature has now been released and is available to use |
|
@brettstack @keetonian The example template at https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/api_cognito_auth/template.yaml fails SAM validation via "sam validate -t [filename]".
|
|
@OndeVai Which version of SAM CLI are you using? You may need to upgrade your version to make this work. |
|
@keetonian I'm on version 0.7.0 |
|
Ok I looked into it- I opened an issue on the CLI repo: aws/aws-sam-cli#803 |
|
Good deal. Thanks. Good news is that the sam deploy works like a champ :) |
|
@keetonian @brettstack Sorry, one more issue:
|
|
@OndeVai Could you create a new issue for this use case, detailing how you would like it to work so that we (and others) can more easily track the design and development of this feature? |
|
Will do. Thanks. |
This is a WIP. Remaining:
Issue #, if available:
#512
Description of changes:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.