New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allows specification of an AuthorizerCredentials(Arn) for both HTTP and REST APIs #11959
Comments
@lholota thanks for openning that issue. PR is welcome, but let's first agree how we will include it in the configuration (please post a proposal) |
Hi @medikoo, as I hinted above, I would suggest adding it as follows: HTTP API (Gateway V2)provider:
httpApi:
authorizers:
customAuthorizer:
# ...
authorizerCredentials: # Role ARN
GetAtt: [MyRole, Arn] # Referencing a role created in the resources section REST API (Gateway V1)functions:
create:
handler: posts.create
events:
- http:
path: posts/create
# ...
authorizer:
name: authorizerFunc
# ...
authorizerCredentials: # Role ARN
GetAtt: [MyRole, Arn] # Referencing a role created in the resources section
authorizerFunc:
handler: handler.authorizerFunc Both V1 and V2 gateways have the same property (although it has a slightly different name in each it takes the same value). |
@lholota that looks very good to me. PR's welcome! |
Hi, I'd like to pick this issue.
P.S. I'm new here so please excuse me if anything sounds too obvious to answer. |
/assign |
Hi @JSee98, |
Great!! @lholota just wanted to confirm have you tried the GetAtt function as you've defined above? If yes, what was the exact error over there? |
@lholota I'm suggesting something of the sorts defined here https://github.com/serverless/serverless/blob/88099ad98c33ed97b1cf0471de03247c33928af0/docs/providers/aws/guide/iam.md#custom-iam-roles Here as I can see we can define the role with an arn and use the same in any function. This should work right? |
Please ignore the previous message. I believe I've identified the required changes. This is where the authorizer is "compiled". Basically, the yaml details are used to create the required authorizer for cloudformation More changes might be required under validation file and the methods/authorization file. Will check. P.S. Please ignore the previous messages 😅 |
@JSee98 np, let me know if you need anything more. I'm just going to add that the role will always be defined in |
Hi @JSee98, how is it going? We are eager to test a beta version of this feature :) |
Hi @lholota sorry have been stuck with a prod issue. Will try raise something this week. Sorry again for the delay. |
Hello can we be contributing with the adjustment of the problem in question? Can you give us the path of the file that contains the error? |
Is there an existing issue for this?
Use case description
Both types of API gateway allow specifying in IAM role which is used to execute the authorizer:
This is important when using an authorizer from another AWS account where you must create a role allowing the execution of the underlying lambda which is used for the authorizer.
If I'm missing something and there is a way around I would be really glad to find out, we have several teams currently keen on using an authorizer shared across the whole company from one AWS account and they unfortunately can't because of this issue.
Proposed solution (optional)
Add property under:
...../events//httpApi/authorizer/authorizer_credentials
...../events//http/authorizer/authorizer_credentials
provider/httpApi/authorizers/*/authorizer_credentials
which would map to the corresponding CloudFormation properties based on the API type.
The text was updated successfully, but these errors were encountered: