用于访问密钥/秘密密钥授权的AWS IAM API Cloudformation帮助

时间:2019-02-06 20:35:13

标签: amazon-web-services aws-api-gateway amazon-iam aws-iam access-keys

我们当前正在使用API​​密钥来保护对我们API网关的访问。但是,我们正在使用具有访问/密钥的IAM模型。我了解到swagger不允许我们这样做(目前我们在swagger中设置了api_key以启用API密钥身份验证)。

我为以下各种操作创建了所需的策略:

  SvcAccountPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub 'iam-${EnvTag}'
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'execute-api:Invoke'
            Resource:
              - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${SomeApi}/*/GET/*'
              - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${SomeApi}/*/POST/*'
              - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${SomeApi}/*/PUT/*'
              - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${SomeApi}/*/DELETE/*'
      Users:
        - !Ref userSvcAcct

我的lambda函数如下所示。我仍然对云形成还不陌生,希望在此方面添加lambda授权者(我相信它将在“事件”->“ ApiPost /获取等”部分中)方面会有所帮助,我可以使用此秘密/访问密钥。

  FtpUserMgmtLambda:
    Type: AWS::Serverless::Function
    Properties:
      Description: Lambda handler function for FTP user management
      Handler: 'handler.UserManagementHandler::handleRequest'
      Runtime: java8
      MemorySize: 512
      Timeout: 300
      FunctionName: !Ref LambdaFunctionName
      Role: !GetAtt UserMgmtLambdaRole.Arn
      CodeUri:
        Bucket: !Ref LambdaCodeS3Bucket
        Key: !Ref LambdaCodeFileName
      VpcConfig:
        SomeConfig stuff here
      Environment:
        Variables:
          dbPort: !Ref UserStoreDbPort
          dbUser: !Ref UserStoreDbUserId
          dbName: !Ref UserStoreDbName
          environment: !Ref EnvTag
          basepath: 'somepath'
      Events:
        ApiPost:
          Type: Api
          Properties:
            RestApiId: !Ref SomeApi
            Path: /path
            Method: POST
            Auth: <<Dont know what to do here! HELP>>
        ApiGet:
          Type: Api
          Properties:
            RestApiId: !Ref SomeApi
            Path: /path
            Method: GET
            Auth: *<<Dont know what to do here! HELP>>*
      Tags:
        Name: !Ref LambdaFunctionName
        function: lambda function that manages ftp users

1 个答案:

答案 0 :(得分:0)

通过Swagger修复了此问题。示例代码如下:

    setTimeout(function() {
      input.setSelectionRange(0, 99999);
    }, 0);

然后在cloudformation中,将以下内容添加到无服务器API定义中以处理swagger文件。当然

---
swagger: "2.0"
info:
  version: "2017-10-17T17:47:44Z"
  title: "User-Mgt-API"
basePath: "/${environment}"
schemes:
  - "https"
paths:
  /ftpuser:
    post:
      x-amazon-apigateway-auth:
        type: aws_iam
      produces:
        - "application/json"
      responses:
        200:
          description: "When create user request successful"
          schema:
            $ref: "#/definitions/Empty"
        400:
          description: "When API vallidation error happens"
          schema:
            $ref: "#/definitions/Empty"
      x-amazon-apigateway-integration:
        responses:
          default:
               statusCode: "200"
        uri:
          Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${FtpUserMgmtLambda.Arn}/invocations
        passthroughBehavior: "when_no_match"
        httpMethod: "POST"
        contentHandling: "CONVERT_TO_TEXT"
        type: "aws_proxy"
 definitions:
  Empty:
    type: "object"
    title: "Empty Schema"

希望这会有所帮助。网络上还有一个示例使用x-amazon-apigateway-any-method的示例,通过该示例我可以得出上述结论。该链接为here