Seems like the authorizer doesn’t receive any info related to the base path. Even if you pass it in the context, there seems to be no way to add it to the policy.
eg:
domain.com/basepath1/resource/resourceID
domain.com/basepath2/resource/resourceID
current policy statements:
[{ Action: ‘execute-api:Invoke’, Effect: ‘Allow’, Resource: ‘arn:aws:execute-api:us-east-1:accountID:apiID/dev/GET/resource/resourceID’ }]
Hi @leeeomaaax ,
I am not 100% sure but I highly doubt that this is possible since even if you mapped it to a custom domain (incl. defining a base path), APIGW doesn’t really care about it i.e. the endpoints are still available through the amazonaws.com domain.
So I think the best you can do is to handle this in your authorizer; e.g. allow always for case a) and actually check for case b) if this is what you want to do. In any case I’d stick withe serverless’ default approach (authorizer: authFn ... authFn: ... handler: ...)
@bbilger, thank you very much for replying
I’m not sure I understood you recommendation.
basepath1 and basepath2 are actually two different services, they do completely different things on the same resource.
How would I check for case b in my authorizer, since I can’t add more elements to the policy statement?
My solution for now is duplicating the declaration of functions on the serverless.yml and putting the base path in it:
domain.com/serverlessServiceAsBasePath/formerBasePath1/resource/resourceID
serverlessServiceAsBasePath would be the base path
/formerBasePath1/resource/resourceID is now in a duplicated function declaration in .yml
Hi @leeeomaaax ,
Hmmm, I am confused and probably I am totally missing the point, here but if those are two different services how is the base path relevant, then at all?
You can “easily” register an authorizer per endpoint (see serverless.yml below).
If the question is about the policy and the value for “Resource”: the resource is passed as methodArn to your custom authorizer handler and so you can generate the policy accordingly. See first example here: http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
If this still doesn’t answer your question: when you say “base path”, do you mean the base path you defined on the custom domain, or the path of the endpoint (regardless of your custom domain)?
Docs: https://serverless.com/framework/docs/providers/aws/events/apigateway/#http-endpoints-with-custom-authorizers
serverless.yml - custom authorizer
functions:
apiA:
handler: eventHandlerA
events:
- http:
path: apia/public
method: get
- http:
path: apia/private
method: get
authorizer: authFnA
apiB:
handler: eventHandlerB
events:
- http:
path: apib/public
method: get
- http:
path: apib/private
method: get
authorizer: authFnB
- http:
path: apib/private/whatever
method: get
authorizer: authFnC
authFnA:
handler: authHandlerA
authFnB:
handler: authHandlerB
authFnC:
handler: authHandlerC