目标是拥有一个单一的dotnet核心Web api项目,该项目可以支持针对其大多数端点的基于AWS Cognito的身份验证,而不支持针对单个端点的身份验证。以下是template.yaml文件。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: An AWS Serverless Application that uses the ASP.NET Core framework running
in Amazon Lambda.
Parameters:
ShouldCreateBucket:
Type: String
AllowedValues:
- 'true'
- 'false'
Description: If true then the S3 bucket that will be proxied will be created with
the CloudFormation stack.
BucketName:
Type: String
Description: Name of S3 bucket that will be proxied. If left blank a name will
be generated.
MinLength: '0'
CognitoUserPoolName:
Type: String
Default: XXXXX-UserPool
CognitoUserPoolClientName:
Type: String
Default: XXXXX-UserPool
Conditions:
CreateS3Bucket:
Fn::Equals:
- Ref: ShouldCreateBucket
- 'true'
BucketNameGenerated:
Fn::Equals:
- Ref: BucketName
- ''
Resources:
MyCognitoAuth:
Type: AWS::ApiGateway::Authorizer
Properties:
AuthorizerUri: arn:aws:cognito-idp:ap-south-1:XXXXXXXXX:userpool/ap-south-1_xxxxxxxx
IdentitySource: method.request.header.Authorization
MyServiceApi:
Type: AWS::Serverless::Api
Properties:
Name: MyServiceApi
StageName: !Ref Version
Auth:
Authorizer: MyCognitoAuth
AspNetCoreFunction:
Type: AWS::Serverless::Function
Properties:
Handler: AWSServerless1::AWSServerless1.LambdaEntryPoint::FunctionHandlerAsync
Runtime: dotnetcore2.1
CodeUri: Ref BucketName
MemorySize: 256
Timeout: 30
Role: null
Policies:
- AWSLambdaFullAccess
Environment:
Variables:
AppS3Bucket:
Fn::If:
- CreateS3Bucket
- Ref: Bucket
- Ref: BucketName
Events:
CognitoAuthApi:
Type: Api
Properties:
RestApiId: !Ref MyServiceApi
Path: /{proxy+}
Method: ANY
Auth:
Authorizer: MyCognitoAuth
APIKeyAuthApi:
Type: Api
Properties:
RestApiId: !Ref MyServiceApi
Path: /api/users/canLogin
Method: GET
Auth:
Authorizer: null
Bucket:
Type: AWS::S3::Bucket
Condition: CreateS3Bucket
Properties:
BucketName:
Fn::If:
- BucketNameGenerated
- Ref: AWS::NoValue
- Ref: BucketName
Outputs:
ApiURL:
Description: API endpoint URL for Prod environment
Value:
Fn::Sub: https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/
S3ProxyBucket:
Value:
Fn::If:
- CreateS3Bucket
- Ref: Bucket
- Ref: BucketName
但这会引发以下错误:
错误:[InvalidResourceException('AspNetCoreFunction','ID为[CognitoAuthApi]的事件无效。
由于相关API未定义任何授权者,因此无法为路径[/ {proxy +}]的API方法[any]设置授权者[MyCognitoAuth]。'),InvalidResourceException('MyServiceApi',“ “'Auth'属性”))('AspNetCoreFunction','ID为[CognitoAuthApi]的事件无效。
由于相关API未定义任何授权者,因此无法为路径[/ {proxy +}]的API方法[any]设置Authorizer [MyCognitoAuth]。')('MyServiceApi',“'Auth的值无效'属性”)
达到此目的的正确方法是什么?