-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(auth): add support for API Gateway Authorizers #546
Conversation
This is a WIP. Remaining: 1. Tests 1. Documentation 1. Examples 1. Additional end-to-end manual verification 1. Fixing some known edge cases (e.g. remove hanging NONE authorizers when no DefaultAuthorizer set)
none_idx = -1 | ||
authorizer_security = [] | ||
|
||
# If this is the Api-level DefaultAuthorizer we need to check for an |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This implementation isn't ideal. The existing order of operations is:
- Apply all Function Event configuration
- Apply API configuration
This makes it hard to apply a DefaultAuthorizer, especially when 'NONE' is defined on the Function Event. Current logic is to add a 'NONE' entry to the Swagger and then remove it when DefaultAuthorizer comes through. Similarly, DefaultAuthorizer won't be added if it detects an existing entry in security
which matches a key defined in Api.Auth.Authorizers
.
Ideally we would add DefaultAuthorizer first and then remove/override as needed, but I'd rather not complicate the order of operations (unless there's already precedent of that which I'm not aware of).
Is there anything new on this topic? Any ETA for authorizers? |
Currently working on the Cognito example, followed directly by tests. Then there's just a couple of documentation changes and we can merge this in. |
So do you have an idea when this will be available in production? |
This commit also includes a fix for Authorizers when using the ANY method as well as a fix for InlineCode (which this example uses) when used in combination with aws cloudformation package
As part of our policy, I can't comment on dates. I can say it will be "soon" after it is merged into develop |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few comments - not going to block on them.
Very excited for this feature. I'm not entirely sure where translation from SAM to CloudFormation occurs (whether it is sam-cli, client-side, or behind AWS's walls). Once this PR is merged into master, will it be immediately ready to use? This is my package and deploy script, which is called from CodePipeline/CodeBuild:
|
It will be available once it is merged into Master. It's possible to use this on the client-side, but the aws managed transform service happens inside our "walls". We'll post an announcement on our #samdev slack channel as well as in other places when this feature is available from the the internal transform. |
This feature has now been released and is available to use |
@brettstack @keetonian The example template at https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/api_cognito_auth/template.yaml fails SAM validation via "sam validate -t [filename]".
|
@OndeVai Which version of SAM CLI are you using? You may need to upgrade your version to make this work. |
@keetonian I'm on version 0.7.0 |
Ok I looked into it- I opened an issue on the CLI repo: aws/aws-sam-cli#803 |
Good deal. Thanks. Good news is that the sam deploy works like a champ :) |
@keetonian @brettstack Sorry, one more issue:
|
@OndeVai Could you create a new issue for this use case, detailing how you would like it to work so that we (and others) can more easily track the design and development of this feature? |
Will do. Thanks. |
This is a WIP. Remaining:
Issue #, if available:
#512
Description of changes:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.