Dynamic ARN to Cognito authorizer

aws

#1

When trying to sls package the below (for brevity I included only the relevant bits) then I’m getting an error (below is full stacktrace). Looking at the source it seems the code expects the arn value would be a string. Any solution for this? Thanks!

functions:
  apighandler:
    handler: apighandler.handler
    events:
      - http:
          path: lmi
          method: post
          cors: true
          authorizer:
            name: authorizer
            arn:
              Fn::GetAtt:
                - CognitoUserPool
                - Arn
            claims:
              - email

resources:
  Resources:
    CognitoUserPool:
      Type: "AWS::Cognito::UserPool"
      Properties:
        UserPoolName: UserPool
        AdminCreateUserConfig:
          AllowAdminCreateUserOnly: true
        AutoVerifiedAttributes:
          - email

Error:

TypeError: functionArn.split is not a function
    at Object.extractAuthorizerNameFromArn (/usr/lib/node_modules/serverless/lib/plugins/aws/lib/naming.js:126:34)
    at AwsCompileApigEvents.getAuthorizer (/usr/lib/node_modules/serverless/lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js:218:37)
    at _.forEach (/usr/lib/node_modules/serverless/lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js:50:36)
    at arrayEach (/usr/lib/node_modules/serverless/node_modules/lodash/lodash.js:537:11)
    at Function.forEach (/usr/lib/node_modules/serverless/node_modules/lodash/lodash.js:9359:14)
    at _.forEach (/usr/lib/node_modules/serverless/lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js:42:9)
    at /usr/lib/node_modules/serverless/node_modules/lodash/lodash.js:4944:15
    at baseForOwn (/usr/lib/node_modules/serverless/node_modules/lodash/lodash.js:3001:24)
    at /usr/lib/node_modules/serverless/node_modules/lodash/lodash.js:4913:18
    at Function.forEach (/usr/lib/node_modules/serverless/node_modules/lodash/lodash.js:9359:14)
    at AwsCompileApigEvents.validate (/usr/lib/node_modules/serverless/lib/plugins/aws/package/compile/events/apiGateway/lib/validate.js:41:7)
    at Object.package:compileEvents [as hook] (/usr/lib/node_modules/serverless/lib/plugins/aws/package/compile/events/apiGateway/index.js:42:31)
    at BbPromise.reduce (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:254:55)
From previous event:
    at PluginManager.invoke (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:254:22)
    at PluginManager.run (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:273:17)
    at variables.populateService.then (/usr/lib/node_modules/serverless/lib/Serverless.js:105:33)
    at runCallback (timers.js:672:20)
    at tryOnImmediate (timers.js:645:5)
    at processImmediate [as _immediateCallback] (timers.js:617:5)
From previous event:
    at Serverless.run (/usr/lib/node_modules/serverless/lib/Serverless.js:92:74)
    at serverless.init.then (/usr/lib/node_modules/serverless/bin/serverless:30:50)

#2

I have encountered exactly the same issue when trying to set the authorizer arn from a AWS::Cognito::UserPool resource that is been created in the same serverless.yml.

Is there a solution to this yet? Help would be appreciated.


#3

Basically from what I understand from reading every thread on here about this especially this thread:
cognito-user-identity-pools-as-serverless-yml-resource-defs

It is related to a bigger ARN issue in serverless which is currently being looked at:
ARN Issue

So we are for the time being effed.


#4

Same problem here. Grrr. For the time being the only choice is to hardwire the ARN ?


#5

The issue seems to be that the parameter passing to the function “extractAuthorizerNameFromArn” in AppData\Roaming\npm\node_modules\serverless\lib\plugins\aws\lib\naming.js:127:34 is not really a string and therefore it can’t split.

I tried to just add .toString() but no improvement.

I worked way to less with npm and so on to figure out how they are passing the Fn::GetAtt: bla bla bla to the actual ARN string to then cut in pieces.

So if anybody has a fix for that it would be a great help.I don’t mind fixing npm stuff.


#6

I managed to get it working, building a Cognito User Pool Authorizer on the fly to put as the function authorizer arn.

Authorizer Config
Function config

It’s part of my Serverless Yeoman Generator.

Hope it helps! :slight_smile:

Took a couple of days to figure it out, writing tests and debugging the resource builders of aws provider.


#7

My workaround was to use the serverless-stack-output plugin to store the CloudFormation outputs of the service being “depended on” in a file (e.g. .build/stack.json). I then pull in the UserPool Arn via the following

          authorizer:
            arn: ${file(../cognito/.build/stack.json):UserPoolArn}

Not ideal as it adds complexity to the build process by depending on a local file vs the info stored in CloudFormation, but works for the time being until there is a fix.