I’m starting a new project and we are using APIG and AWS_IAM Authorizer.
I was thinking it would be nice to be able to keep the security information (which roles can access which endpoint) in the config together with the other config for that endpoint.
I can’t find any plugins for this. Was wondering how people maintain that information now? And thoughts on a plugin that would do the above?
You would use cloudformation resources https://serverless.com/framework/docs/providers/aws/guide/resources/
create iam managed policies https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html to give access to the api in policy document
attach them to user
Here is create user https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html
Thanks, I get how to do it manually. I was hoping I could generate them based on setting a role name on the functions.
You can set IAM roles per function with https://github.com/functionalone/serverless-iam-roles-per-function
Grabbed from https://github.com/serverless/plugins
Thanks, I didn’t know about the plugins list!
That plugin isn’t quite what I’m after but will be a good starting point for writing one.
I want to specify application roles for each function from say [admin, power-user, user]
Then have the plugin generate an IAM role for each application role allowing execute-api:Invoke for each path of the function that specified that role.
So the below would be generated for the admin role if admin was specified on the POST hello function
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:*:*:qbdnxp6uq6/*/POST/hello"
],
"Effect": "Allow"
}
]
}
I didn’t do this with AWS_IAM, but with custom authorizer.
One thing you need take care, if you want to enable policy cache (get better performance), you need include all valid endpoints for that user.
For example, the user has permission to access endpoint1 and endpoin2. When access endpoint1, you need set the policy cache for both of them.
"arn:aws:execute-api:*:*:qbdnxp6uq6/*/POST/endpoint1",
"arn:aws:execute-api:*:*:qbdnxp6uq6/*/POST/endpoint2"
otherwise, the user can’t access endpoint2 within policy cache timeout (default is 300 seconds)
@bill Thanks for the info. Did you generate the policy from your serverless.yml? Or is it manually maintained?
You need manually care with a monolith (?) lambda functions to generate the policy cache with IAM policy. The policy cache has size limits (don’t remember, about 200k or 400k ??? ), so if you need manage too many endpoints with different methods, you have to split them properly.
In my case, I need assign different methods for different endpoints, such as:
"arn:aws:execute-api:*:*:qbdnxp6uq6/*/POST/endpoint1",
"arn:aws:execute-api:*:*:qbdnxp6uq6/*/GET/endpoint1",
"arn:aws:execute-api:*:*:qbdnxp6uq6/*/PUT/endpoint1",
"arn:aws:execute-api:*:*:qbdnxp6uq6/*/POST/endpoint2"
"arn:aws:execute-api:*:*:qbdnxp6uq6/*/GET/endpoint2"
Then this policy cache can be huge, which possibly hits the limits.