-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: allow setting InvokeRole to NONE or null #986
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #986 +/- ##
===========================================
+ Coverage 94.71% 94.77% +0.05%
===========================================
Files 69 69
Lines 3160 3252 +92
Branches 606 635 +29
===========================================
+ Hits 2993 3082 +89
- Misses 85 88 +3
Partials 82 82
Continue to review full report at Codecov.
|
method_invoke_role = method_auth_config.get('InvokeRole') | ||
if not method_invoke_role and 'InvokeRole' in method_auth_config: | ||
method_invoke_role = 'NONE' | ||
api_invoke_role = api_auth_config.get('InvokeRole') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section looks for two things:
- If there is an
InvokeRole
set, it gets the value - If
InvokeRole
is set to null, it sets it to 'NONE' - If
InvokeRole
is not set, it is passed as usual and is set toCallerCredentials
.
@@ -8,7 +8,7 @@ Resources: | |||
StageName: Prod | |||
Auth: | |||
DefaultAuthorizer: AWS_IAM | |||
InvokeRole: CALLER_CREDENTIALS | |||
InvokeRole: CALLER_CREDENTIALS # default, set to NONE or null to not require credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't accurate. IAM credentials are still required, they just aren't used as the invocation role for the Lambda Function. Setting to NONE will use the Lambda Function's configured role; setting to a different IAM role will invoke using that role.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor comment on code comment
Issue #, if available:
#923
Description of changes:
Allows invoke role override (removes the "credentials" field as discussed in #923)
Description of how you validated changes:
Verified that the transformed template removes the "credentials" section when InvokeRole is set to 'None' or null. Also deployed template to CFN to verify that "Invoke with caller credentials" and "execution role" were not set on the api method.
I also attempted to make it more explicit that
CALLER_CREDENTIALS
is the default value, due to a conversation in the above issue.Checklist:
make pr
passesexamples/2016-10-31
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.