如何解决用于使用自定义Lambda授权程序部署HTTP API的AWS SAM模板带有OpenAPI
我已经设法通过具有OpenAPI定义的yaml SAM模板部署了具有不同路由和lambda集成的AWS HTTP API,但是我坚持将自定义lambda授权者添加到我的路由中。当我部署堆栈时,创建API会超时:
ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack CloudArYer The following resource(s) failed to
create: [Api]. . Rollback requested by
user.
CREATE_FAILED AWS::ApiGatewayV2::Api Api Internal server error (Service:
AmazonApiGatewayV2; Status Code: 500;
Error Code: InternalServerException;
Request ID: 18242cfd-
cc94-4909-a26a-6631806f94e7; Proxy:
null)
这是模板定义的模板的主要部分:
...
AuthorizerLambdaTemplate:
Type: AWS::Serverless::Application
Properties:
Location: ./templates/Authorizer-template-function.yaml
Parameters:
ProjectName: !Sub "${ProjectName}"
ProjectApiKey: !Sub "${ProjectApiKey}"
Api:
Type: AWS::Serverless::HttpApi
Properties:
StageName: CloudArYerAPI
CorsConfiguration:
AllowCredentials: true
AllowHeaders: "*"
AllowMethods:
- GET
- POST
- PUT
AllowOrigins:
- https://*
DefinitionBody:
openapi: 3.0.1
info:
title: CoudArYer-API
description: HTTP API for connected chicken coop (Cloud Ar Yer)
version: 2020-09-26
paths:
/config/{device}:
get:
x-amazon-apigateway-integration:
$ref: "#/components/x-amazon-apigateway-integrations/GETLambda"
/event/{type}:
post:
x-amazon-apigateway-integration:
$ref: "#/components/x-amazon-apigateway-integrations/POSTLambda"
/image/{origin}/{device}:
put:
x-amazon-apigateway-integration:
$ref: "#/components/x-amazon-apigateway-integrations/PUTLambda"
security:
- CloudArYer-Authorizer: []
components:
securitySchemes:
CloudArYer-Authorizer:
type: apiKey
name: authorization
in: header
x-amazon-apigateway-authtype: custom
x-amazon-apigateway-authorizer:
type: request
identitySource: $request.header.authorization
authorizerUri:
Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${AuthorizerLambdaTemplate.Outputs.FunctionArn}/invocations
authorizerCredentials: !GetAtt ApiGatewayAuthorizerRole.Arn
authorizerPayloadFormatVersion: "2.0"
authorizerResultTtlInSeconds: 60
enableSimpleResponses: true
x-amazon-apigateway-integrations:
PUTLambda:
payloadFormatVersion: "2.0"
type: "aws_proxy"
httpMethod: "POST"
uri:
Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${PUTImageLambdaTemplate.Outputs.FunctionArn}/invocations
connectionType: "INTERNET"
GETLambda:
payloadFormatVersion: "2.0"
type: "aws_proxy"
httpMethod: "POST"
uri:
Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GETConfigLambdaTemplate.Outputs.FunctionArn}/invocations
connectionType: "INTERNET"
POSTLambda:
payloadFormatVersion: "2.0"
type: "aws_proxy"
httpMethod: "POST"
uri:
Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${POSTEventLambdaTemplate.Outputs.FunctionArn}/invocations
connectionType: "INTERNET"
ApiGatewayAuthorizerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "apigateway.amazonaws.com"
Action:
- sts:AssumeRole
Policies:
- PolicyName: "InvokeAuthorizerFunction"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- lambda:InvokeAsync
- lambda:InvokeFunction
Resource: !GetAtt AuthorizerLambdaTemplate.Outputs.FunctionArn
...
我的授权者lambda是在嵌套堆栈(AuthorizerLambdaTemplate)中定义的
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
AuthorizerFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub "${ProjectName}-Authorizer-Lambda"
CodeUri: ../src/authorizer
Handler: handler.authorizer
Runtime: nodejs10.x
Role: !Sub "${CustomAuthorizerFunctionRole.Arn}"
Environment:
Variables:
ProjectApiKey: !Sub "${ProjectApiKey}"
CustomAuthorizerFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Parameters:
ProjectName:
Type: String
ProjectApiKey:
Type: String
Outputs:
FunctionArn:
Description: Arn Authorizer function
Value: !GetAtt AuthorizerFunction.Arn
,lambda的代码在外部目录中定义如下
exports.authorizer = async(event) => {
let response = {
"isAuthorized": false,"context": {
"stringKey": "test"
}
};
if (event.headers.authorization === process.env.ProjectApiKey) {
response = {
"isAuthorized": true,"context": {
"stringKey": "test"
}
};
}
return response;
};
我不明白为什么在API创建时会阻止部署...并因InternalServerException而失败。我在堆栈定义上哪里出错了?我浏览了许多站点,摘要...,但是有关新HTTP API的信息较少,例如,没有线索可以解决我的问题。
感谢您的潜在帮助! :-)
解决方法
您可以仅使用SAM添加Lambda授权者,而无服务器功能可以引用授权者。授权者的cloudformation应该看起来像这样:
LambdaAuthorizer:
Type: 'AWS::ApiGatewayV2::Authorizer'
Properties:
Name: LambdaAuthorizer
ApiId: !Ref HttpApi
AuthorizerType: REQUEST
AuthorizerUri: arn:aws:apigateway:{region}:lambda:path/2015-03-31/functions/arn:aws:lambda: {region}:{account id}:function:{Function name}/invocations
IdentitySource:
- $request.header.Authorization
AuthorizerPayloadFormatVersion: 2.0
TestGET:
Type: AWS::Serverless::Function
Properties:
CodeUri: .
Handler: items.get
Runtime: nodejs12.x
Events:
GetAPI:
Type: Api
Properties:
Auth:
Authorizer: LambdaAuthorizer
RestApiId: !Ref Api
Path: /items
Method: get
使用HTTP API的Lambda授权者的文档:https://aws.amazon.com/blogs/compute/introducing-iam-and-lambda-authorizers-for-amazon-api-gateway-http-apis/
如果您仍然希望使用开放式API规范,则您拥有的yaml结构不正确。要通过开放的api规范增加安全性,它应如下所示:
securityDefinitions:
LambdaAuthorizer:
type: "apiKey"
name: "Authorization"
in: "header"
x-amazon-apigateway-authtype: "custom"
x-amazon-apigateway-authorizer:
authorizerUri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaAuthorizer}/invocations"
authorizerResultTtlInSeconds: 300
identitySource: "method.request.header.Authorization"
type: "request"
注意:这不适用于组件。它应该位于顶级DefinitionBody下。
定义主体中自定义授权者的文档:https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-authorizer.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
