[SOLVED] API Gateway - how to set Authorization in Method Request to AWS_IAM?

aws

#1

Hi guys,

I have the same issue described in this stack overflow post:


I wish to authentify requests, using AWS_IAM.

I can use the AWS Gateway API console, and change each method request from none to AWS_IAM. By hand, I can make it work.

However, I would rather change the serverless.yml file in my Serverless services.

I tried to add an authorizationType field like so:

  • http:
    path: greet
    method: get
    authorizationType: AWS_IAM
    but it did not update the authorization settings of API Gateway, and unauthorized requests are still accepted.

Any idea if the serverless.yml file can be set to use AWS_IAM?


LINK:
http://stackoverflow.com/questions/38919753/is-it-possible-to-set-request-authorization-in-serverless-yml-file-with-server

IMG

I have also tried this
Post:
…
event:

  • http:
    path: greet
    method: get
    authorizer: AWS_IAM

AWS_IAM:
handler: handlers.AWS_IAM

But it doesn’t work,

Any idea?

Thanks
Federico


#2

There isn’t a clean way of doing this yet that I’m aware of. There is a bit of a dirty way though. After you’ve deployed your application lookup the name of the AWS::ApiGateway::Method for your method (the way I do this is by looking within cloudfromation’s stack template for my api). Then using that name, within serverless.yml under Resources drop in something like this…

PostMethodApigEventCreateaccountAccountCreate: #<- that is my AWS::ApiGateway::Method's name
  Properties:
    AuthorizationType: AWS_IAM

#3

Hi Camhart,

your dirty way worked like a charm.

Hope this could become a feature, thanks a lot

bye
Federico


What's Missing in Our Docs?
#4

Yup definitely something we want to support in the future. With our latest release (and on master) the name of the Method has changed though, so make sure to update your custom resources so they still work then.


#5

@flomotlik is there a way to set all api endpoints to use AWS_IAM authorization without having to define them one by one?


#6

At the moment there isn’t


#7

@flomotlik I’ve noticed that since 1.0.2 version this does not work:

     resources:
             Resources:
               ApiGatewayMethodV1UsersUseridTestPost: // My post method.
                 Properties:
                  AuthorizationType: AWS_IAM 

I get an error saying that a resource type is need.
So I tried this (format is not being applied by the forum here):
resources:
Resources:
ApiGatewayMethodV1UsersUseridTestPost: //My post method.
Type: AWS::ApiGateway::Method
Properties:
AuthorizationType: AWS_IAM

But it does not work. It produces the following output and the application does not exit.
I must to press ctrl+c in order to cancel and the next time I try to deploy the api I got a “The specified bucket does not exist” which can be solved by deleted the stack task from Cloudformation console.

Serverless: Creating Stack…
Serverless: Checking Stack create progress…
CloudFormation - CREATE_IN_PROGRESS - AWS::CloudFormation::Stack - serverless-user-service-dev
CloudFormation - CREATE_FAILED - AWS::ApiGateway::Resource - ApiGatewayMethodV1UsersUseridTestPost
CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_FAILED - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_FAILED - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - ROLLBACK_IN_PROGRESS - AWS::CloudFormation::Stack - serverless-user-service-dev
CloudFormation - DELETE_COMPLETE - AWS::ApiGateway::Resource - ApiGatewayMethodV1UsersUseridTestPost
CloudFormation - DELETE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - DELETE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - DELETE_COMPLETE - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - DELETE_COMPLETE - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - ROLLBACK_COMPLETE - AWS::CloudFormation::Stack - serverless-user-service-dev


#8

If you update to 1.0.3 which we released today this should work.


#9

@flomotlik thanks, but I’ve just tried 1.03 version and unfortunately it does not work.

This configuration:

resources:
    Resources:
      ApiGatewayMethodV1UsersUseridTestPost: 
        Type: AWS::ApiGateway::Method # Is this line correct? It does not work
        Properties:
          AuthorizationType: AWS_IAM 

Produces this error:

  An error occurred while provisioning your stack: ApiGatewayMethodV1UsersUseridTestPost
     - Property HttpMethod cannot be empty.

And this configuration:

resources:
    Resources:
      ApiGatewayMethodV1UsersUseridTestPost: 
        Properties:
          AuthorizationType: AWS_IAM 

Produces this other error:

Template format error: [/Resources/ApiGatewayMethodV1UsersUseridTestPost]
     Every Resources object must contain a Type member.

#10

After some tests I’ve added a comment on the following issue: (I think the bug should be reopened) https://github.com/serverless/serverless/issues/2359


#11

FWIW This worked for me:

    functions:
      authenticate:
       handler: <function-handler>
       name: <function-name>
       description: some description
       events:
        - http:
        path: <path>
        method: get
        integration: lambda

    resources:
      Resources:
        ApiGatewayMethod<function-name>Get:
           Properties:
             AuthorizationType: AWS_IAM

#12

I am getting the same error as @endymion as well “Property HttpMethod cannot be empty” and I am using a path parameter as well as he mentioned in the github issue.

I have also noticed that the people who have gotten this working seem to be using lambda integration as opposed to lambda-proxy integration, would that be a requirement for getting this to work?


#13

I’m using serverless 1.6.1 by the way.


#14

I used below syntax in serverless.yml and it worked for me. Key thing was to identify correct name “ApiGatewayMethodHelloGet”. I figured that out from cloud formation template from S3, sls deploys code in S3 for every service if you drill down thos S3 bucket you will see cloud formation template created by sls.

resources:
Resources:
ApiGatewayMethodHelloGet:
Type: "AWS::ApiGateway::Method"
Properties:
AuthorizationType: AWS_IAM


#15

I’m about to implement AWS_IAM. Before I use the workarounds described here, has there been any progress in this feature? I’m using sls v1.8.0.


#16

As of today, I don’t believe so. Keep an eye on PR #3534, hopefully we can start using it in the next release :smiley:


#17

You helped me 100% find the answer this was make or break for me. If you set it manually in the UI as soon as you do any update it will reset it to 0. You have to find the name in the json in the s3 bucket.