Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS_IAM auth does not allow InvokeRole override #923

Open
theburningmonk opened this issue May 16, 2019 · 9 comments

Comments

Projects
None yet
6 participants
@theburningmonk
Copy link

commented May 16, 2019

Description:

When using the new AWS_IAM auth type, the InvokeRole is always set to CALLER_CREDENTIALS even when I specify an override. The problem here is that, it forces the caller to have both API Gateway's invoke permission as well as lambda:InvokeFunction permission. This breaks the API abstraction and leaks implementation details (that there's a Lambda behind API Gateway, and the name of the function).

Steps to reproduce the issue:

  1. create API with auth type set to AWS_IAM and set InvokeRole to null

image

Observed result:

API endpoints still uses CALLER_CREDENTIALS

image

Expected result:

  • Execution role to be `null
  • Invoke with caller credentials to be disabled
@theburningmonk

This comment has been minimized.

Copy link
Author

commented May 16, 2019

For now, our workaround is to have a custom macro that is triggered after the initial SAM macro and strips the credentials field.

image

@tavolate

This comment has been minimized.

Copy link

commented May 16, 2019

We have the same issue

@keetonian

This comment has been minimized.

Copy link
Contributor

commented May 17, 2019

It looks like we're forcing InvokeRole to be non-null here: https://github.com/awslabs/serverless-application-model/blob/develop/samtranslator/swagger/swagger.py#L192

A simple fix for this would be to allow null or blank values and add a test that enforces this behavior.

@jadhavmanoj

This comment has been minimized.

Copy link

commented May 20, 2019

@keetonian if InvokeRole in None. should we remove credentials key from template?

@keetonian

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

That's a good question. @brettstack might know, otherwise I'll investigate more and see what SAM should do in this case.

@brettstack

This comment has been minimized.

Copy link
Contributor

commented May 21, 2019

@jadhavmanoj that's correct.

@benkehoe

This comment has been minimized.

Copy link

commented May 28, 2019

Is the plan to change the default to not use caller credentials? I am in favor of such a plan. Using caller credentials isn't the default in API Gateway, so I would consider it unexpected behavior for SAM to change that.

@brettstack

This comment has been minimized.

Copy link
Contributor

commented May 28, 2019

Unfortunately that ship has sailed. Changing default behavior would be a breaking change. The plan is to add InvokeRole: null (or 'NONE') as originally intended.

@benkehoe

This comment has been minimized.

Copy link

commented May 28, 2019

Perhaps an additional auth type is warranted, then? AWS_IAM_v2? Requiring this opaque incantation everywhere to get the normal behavior of API Gateway, and that forgetting it will cause IAM failures that are already hard to understand, is going to trip up so many people.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.