如何使用AWS SAM创建使用Cognito User Pools授权程序进行授权的API?
Theres AWS::ApiGateway::Authorizer。但是......
{
"Type" : "AWS::ApiGateway::Authorizer",
"Properties" : {
"AuthorizerCredentials" : String,
"AuthorizerResultTtlInSeconds" : Integer,
"AuthorizerUri" : String,
"IdentitySource" : String,
"IdentityValidationExpression" : String,
"Name" : String,
"ProviderARNs" : [ String, ... ],
"RestApiId" : String,
"Type" : String
}
}
看起来RestApiId是指使用此授权程序的API?但是使用AWS SAM,我的API被定义为
Resources:
Ec2Index:
Type: AWS::Serverless::Function
Properties:
Handler: ec2/index.handler
Runtime: nodejs6.10
CodeUri: ./src
FunctionName: 'ApiEc2IndexHandler'
Description: 'List EC2 resources'
Timeout: 30
Role: 'arn:aws:iam::598545985414:role/awsmanagement-lambda-management'
Events:
Ec2Index:
Type: Api
Properties:
Path: /ec2
Method: get
我不知道如何将它们联系在一起?
答案 0 :(得分:2)
我不确定您是否可以在SAM中指定授权人,但您可以将Swagger嵌入到可以执行此操作的SAM文件中。这是2月17日[ref]的新功能。
我绝对不是Swagger或SAM的专家,但似乎你会想要这样的东西:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Simple API Endpoint configured using Swagger specified inline and backed by a Lambda function
Resources:
Ec2Index:
Type: AWS::Serverless::Api
Properties:
StageName: <stage>
DefinitionBody:
swagger: 2.0
info:
title:
Ref: AWS::StackName
securityDefinitions:
cognitoUserPool:
type: apiKey,
name: "Authorization"
in: header
x-amazon-apigateway-authtype: cognito_user_pools
x-amazon-apigateway-authorizer:
type: cognito_user_pools
providerARNs:
- arn:aws:cognito-idp:${AWS::Region}:{AWS::AccountId}:userpool/<user_pool_id>
paths:
"/ec2":
get:
security:
- cognitoUserPool: []
x-amazon-apigateway-integration:
httpMethod: POST
type: aws_proxy
uri:
Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Ec2IndexLamb.Arn}/invocations
responses: {}
swagger: '2.0'
Ec2IndexLamb:
Type: AWS::Serverless::Function
Properties:
Handler: ec2/index.handler
Runtime: nodejs6.10
CodeUri: ./src
FunctionName: 'ApiEc2IndexHandler'
Description: 'List EC2 resources'
Timeout: 30
Role: 'arn:aws:iam::598545985414:role/awsmanagement-lambda-management'
Events:
Ec2Index:
Type: Api
Properties:
Path: /ec2
Method: get
参考文献:
编辑:修复了“安全”部分的Swagger 2.0语法,它应该是一个列表。
答案 1 :(得分:1)
您现在可以使用'ServerlessRestApi'引用隐式创建的api网关。 因此,在您的SAM模板中添加此常规Cloudformation,一切都会正常运行
ApiCognitoAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
IdentitySource: 'method.request.header.Authorization'
Name: ApiCognitoAuthorizer
ProviderARNs:
- 'arn:aws:cognito-idp:{region}:{userpoolIdentifier}'
RestApiId: !Ref ServerlessRestApi
Type: COGNITO_USER_POOLS
答案 2 :(得分:1)
您可以将Cognito用户授权者直接添加到SAM AWS::Serverless::Api。
MyApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Cors: "'*'"
Auth:
DefaultAuthorizer: MyCognitoAuthorizer
Authorizers:
MyCognitoAuthorizer:
UserPoolArn: 'arn:aws:cognito-.....' # YOUR COGNITO USER POOL ARN
,如果尚未设置默认授权者,则可以在AWS::Serverless::Function上添加一个函数授权者。或者,您可以使用Authorizer: 'NONE'将其停用。
Auth:
Authorizer: MyCognitoAuthorizer
另请参见documentation。
答案 3 :(得分:0)
如@simones所述,以下将创建Cognito用户池授权者(CF模板)。
ApiCognitoAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
IdentitySource: 'method.request.header.Authorization'
Name: ApiCognitoAuthorizer
ProviderARNs:
- 'arn:aws:cognito-idp:{region}:{userpoolIdentifier}'
RestApiId: !Ref ServerlessRestApi
Type: COGNITO_USER_POOLS
要将其附加到资源方法,以下工作(在Swagger文件中):
securityDefinitions:
ApiCognitoAuthorizer:
type: apiKey
name: Authorization
in: header
x-amazon-apigateway-authtype: cognito_user_pools
x-amazon-apigateway-authorizer:
type: cognito_user_pools
providerARNs:
- arn:aws:cognito-idp:{region}:{userpoolIdentifier}
然后,添加到特定方法(在Swagger文件中):
security:
- ApiCognitoAuthorizer: []
答案 4 :(得分:0)
自AWS SAM v1.8.0起,您可以使用以下语法进行操作。您可以参考this article了解更多信息。
简而言之,请使用API Authorizer Object为您的API定义一个Cognito授权者。然后,将您的lambda函数的Auth设置为引用此API。
RectangularBounds.newInstance(northEast,southWest)