Feature Request: API Gateway Authorizer support in SAM Local #137
Comments
|
Hi @alanchavez88, Currently configuring a custom authorizer isn't supported when running locally with SAM Local. I'll leave this issue open as a feature request for our backlog. Thanks |
|
Thanks @PaulMaddox for the response! If I understand the model correctly, it shouldn't matter if my custom authorizer does not run locally, right? In AWS, only authorized requests can trigger the lambda function, correct? |
|
Yes, an authorization request should trigger the Lambda in AWS cloud |
|
I'm wondering how I may use a Cognito Authorizer, is there sample for that? I've gone through all the 5 samples of SAM template.ymls on the internet and am not able to see how I may do so. Should I just rely on the swagger export? I am migrating an existing hand-build API Gateway to SAM. Thanks for help! |
|
I'm also looking for examples of how to integrate a Cognito Authorizer with lambdas made via SAM templates. |
|
This is a good to have feature in SAM Local, so we can test the authorization functions before deploying |
|
Hi is there a resolution yet for including Custom Authoriser lambda over SAM template itself or is this still a feature request AWS SAM Team is working on? |
|
My database url will not work as it contains '=' and other special characters, int he env variables. |
|
Interested in this feature as well. Attempting to use sam-local to auth with Cognito before making subsequent requests. |
|
Same here. Anyone knows the timeline to support SAM local custom authorizer ? |
|
@alanchavez88 did you ever figure out how to configure an authorizer, I notice that the question was never answered. It went off on a tangent about Sam local. |
|
@margic no, I never figured it out. I ended up assuming that it worked and moved on :( If you find a way to do it please post it here. |
|
Hi, I wrote a small tutorial about how I use custom authorizers. While this does not work when running locally, it does work when being deployed. Hope it helps. Add an API Gateway custom authorizerResource summary:ApiGateway - AWS::Serverless::Api - The API definition ApiGateway invokes CustomAuthorizerFunction which returns a policy that will allow or deny the further invocation of your path function. For more details see Introducing custom authorizers in Amazon API Gateway Step by step
ApiGateway:
Type: AWS::Serverless::Api
Properties:
StageName: prod
DefinitionBody:
swagger: "2.0"
info:
title:
Ref: AWS::StackName
description: My API that uses custom authorizer
version: 1.0.0
securityDefinitions:
...
paths:
...
securityDefinitions:
CustomAuthorizer:
type: apiKey
name: Authorization
in: header
x-amazon-apigateway-authtype: custom
x-amazon-apigateway-authorizer:
type: token
authorizerUri:
Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${CustomAuthorizerFunction.Arn}/invocations
authorizerCredentials:
Fn::Sub: ${ApiGatewayAuthorizerRole.Arn}
authorizerResultTtlInSeconds: 60
paths:
...
"/somepath":
post:
security:
- CustomAuthorizer: []
...
CustomAuthorizerFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: nodejs6.10
Handler: index.handler
...
Role:
Fn::Sub: ${CustomAuthorizerFunctionRole.Arn}
ApiGatewayAuthorizerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "apigateway.amazonaws.com"
Action:
- sts:AssumeRole
Policies:
-
PolicyName: "InvokeAuthorizerFunction"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- lambda:InvokeAsync
- lambda:InvokeFunction
Resource:
Fn::Sub: ${CustomAuthorizerFunction.Arn}
CustomAuthorizerFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
... |
|
Is there any example for cognito authorizer? |
|
@kind3r This is an excellent tutorial. Something a lot of people will find it very useful. Will you be interested in submitting this as a pull request to the SAM Repo docs please? https://github.com/awslabs/serverless-application-model/tree/develop/docs |
|
given that the swagger support is for version 2 and not OpenAPI 3 i would expect this feature to come out in the next release. seems like a HUGE oversight in terms of API definition to not allow authorisation in SAM templates. have spent the last two days trying to get the version 2 swagger def to work in SAM, long story short. i may as well write a full cloudformation stack. i will definitely be looking into other services soon if this feature isn't implemented. |
|
Got this working - thanks! |
|
I can't find a simple example of using a Cognito authorizer in an Api event event of a lambda function |
|
None of the examples given here worked for me. I finally followed this https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/api_lambda_request_auth/template.yaml and i got it working. My custom authorizer cloud formation definition: RestApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
DefaultAuthorizer: ApiAuthorizer
Authorizers:
ApiAuthorizer:
FunctionPayloadType: TOKEN
FunctionArn: !GetAtt CustomAuthorizerFunction.Arn
FunctionInvokeRole: !GetAtt CustomAuthorizerFunctionRole.Arn
Identity:
Headers:
- Authorization
ReauthorizeEvery: 300 |
|
For those playing at home, this relies on the idtoken which cannot be explicitly invalidated. If you never want to log a user out by invalidating the token then it’s a great fit. But if you’re needing to invalidate a token on behalf of a user then you should implement a custom authoriser that checks the access token |
|
Does anyone know if we can harcode function arn in FunctionArn? |
|
Not sure why you would want to do that.. are you defining an authoriser in the same Sam template as the inline swagger markup? FWIW I found the best way to manage a custom authoriser was to make a separate cloudformation or Sam stack with that function on its own and then output the ARN. Then reference it in the Sam templates that have swagger definitions for authorisation |
|
@nk2580 thanks for replying. Sorry that was pure for testing purpose. I have a separate sam stack for custom authoriser which gets deployed and then a separate stack for functions. But somehow it was not working and was unable to find any example. So decided to give a try with hardcode one. custom autoriser sam template.yml and below is my another stack where I want to reference the custom authoriser And this where i have very limited knowledge how to achieve this. Any help would be highly appreciated. Thanks |
jfuss
removed
priority/2-important
stage/pm-review
|
Out of curiosity, is it possible to run your authorizer function locally using |
|
@jmcaree-gp good call. And yes, that works. What i ended up doing as a work around is jerry-rigging together a lambda that takes the source code of two other lambdas (an authorizer and an endpoint) and runs them in sequence in a single runtime (I'm using typescript). It's highly imperfect but it at least approximates the way my deployed infra's request flow works. I don't think i would recommend my own solution and eagerly await a day when I can test my APIGW with authorizers and all locally. |
aws-sam-cli-bot
added
maintainer/need-followup
and removed
maintainer/need-followup
labels
|
The only reason I'm using SAM is to run locally. It's unfortunate such a critical piece does not work locally. |
aws-sam-cli-bot
added
maintainer/need-followup
and removed
maintainer/need-followup
labels
|
This may be a useful workaround for some of us here: Allows you to test locally with hardcoded values for authorizer-injected elements. |
|
More than a half decade has passed since the original post ... :/ |
|
Please can we get an update on when support for Authorisers will be implemented in This ticket has been outstanding for several years and I'm finding very little information on when it will be provided. I'm a little surprised it hasn't been given a higher priority given that it prevents fully testing any application with authorisation, which, surely, must be the majority. |
|
Hi, thanks for raising your concerns. While I unfortunately do not have a date for when this will be complete, implementation of custom Lambda authorizer support for |
|
Would love to see this when it's built and ready to use. @lucashuy Please keep us updated :) |
|
Hi all, custom Lambda authorizer support for |
|
|
For anyone trying to get this working:
|
|
@lucashuy nice work! Can we please get a usage tutorial on this new feature? I have tried getting this to work and am referencing a local authorizer, yet it is still "not found". Usage details would be great 👍 |
|
Is there a proper example on how to do this? |
There isn't. I requested documentation in issue #5172 |
|
Hi, for those which are struggling to make the thing works, I just found how to after some long hours.
Minimal example: SAM CLI version 1.97.0 Hope this can save some hours of many ! |
|
a working TypeScript example can be found here as well. |
|
Hi @Willis0826, |
|
Hi @Willis0826 , thanks for you example! With this When running What is wrong? |
|
@CeccoCQ the Am thinking maybe you can create an issue in my example repository. we can figure it out there. |
and others
I'm using the tool to spin up locally an API gateway and run my lambda functions. However, I don't know how to configure an authorizer in
template.ymlIn my
template.ymlfile, I have the following configuration:If I understand the authorizers documentation correctly, I should be able to add the following configurations in order to configure my authorizer
Everything up until that point works fine. If I run
sam validatethe output isValid!sam local start-apiexecutes without a problem.However, I don't know how to configure the custom authorizer in my lambda functions. I've read the AWS::Serverless::Function documentation but I couldn't find anything relevant to my issue. Furthermore, there are two issues about adding support for AuthorizationType to the API but it's unclear whether this support will ever be added, or if it has been added already.
Any help pointing in the right direction is greatly appreciated!
The text was updated successfully, but these errors were encountered: