I configured my $connect websocket route's auth to AWS_IAM however, I can still establish a connection without even signing the url with credentials. I expect that handshake should fail if url is not signed with valid credentials but it seems that the IAM authorizer is not being called/invoked. I tried signing the url with invalid credentials but it would just connect successfully.
Are there any other configurations that are needed?
After long hours of trying to make the IAM authorizer work for my websocket api, I have finally figured out the problem. I tried to manually create a custom lambda authorizer and applied to the $connect route and deployed the api. As expected, the custom authorizer worked. I changed it back to AWS_IAM authorizer and again, I manually deployed the api in the console and it finally worked. I think the reason is that since I have to configure the $connect route's authorizer via AWS::ApiGatewayV2::Route resource like this:
// serverless#2.16.0
resources: {
Resources: {
SconnectWebsocketsRoute: {
Type: 'AWS::ApiGatewayV2::Route',
Properties: {
AuthorizationType: 'AWS_IAM'
}
}
}
}
every time I perform serverless deploy -s stage --force, it somehow doesn't see this as a new changes in configuration thus it skips updating this in Cloudformation. I'm not 100% sure about this though so any other thoughts are welcome.
Related
I'm working with Amplify, I added the authentication to my application and my graphQL schema is with rule private, all things work good in my local, each graphQl api called, It contains the access token and appSync accept my request.
But when I deploy my App, I get an error because all my graphQl request still with api-key not with access token.
my schema.graphQl
My AWSAppSyncClient
In the console I use this configuration:
In my local : all thins work good after authentication.
In production : graphQl still with api-key after authentication
Based on this documentation I ran amplify update api:
From there the command line prompts you to select the API type:
? Please select from one of the below mentioned services:
> `GraphQL`
? Select a setting to edit:
> `Authorization modes`
? Choose the default authorization type for the API
API key
Amazon Cognito User Pool
❯ IAM
OpenID Connect
I updated the default authorization type for the API to be Amazon Cognito User Pool instead of API key.
Then I had to run amplify push --appId YOUR_APP_ID --envName YOUR_STAGING_ENV to sync up the changes.
I'm creating an Axios call to an API hosted on APIGateway with no Authorizer etc. I'm able to access the lambda via a direct postman request and also on the service lambda when it's ran in offline mode, such as:
https://localhost:3000/my/api
However when i run it on the dev stage:
12345.execute-api.eu-west-1.amazonaws.com/my/api
I'm getting a a 403: Forbidden error thrown back.
I've seen comments from other posts where they needed to append the staging environment at the end of the request but this isn't the case in this instance as it's just creating a default endpoint and all other lambdas within this service can be hit when ran on dev, it's just this one that makes a call to another APIGateway API.
The calling API is behind an authorizer with a wildcard policy so should allow all traffic and I'd like to reiterate, it works on both localhost and a direct call to the invoked api.
I'm wondering if it's something to do with the policies attached to it but I've set them all to be wildcarded as well so it should allow everything.
Any ideas would be really helpful, I've been wracking my brains over this all day.
Edit: The authorizer has no policy denying access to the API, same as the resource policy.
There are two common reasons why an API Gateway REST API with a Lambda authorizer returns a 403 error:
The Lambda authorizer function returns an AWS Identity and Access Management (IAM) policy document that explicitly denies access to the caller.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html
The second reason will be, The API has an attached resource policy that explicitly denies access to the caller.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html
If both are in place, please update the question with those details.
I am currently working on aws and have an apigateway with one get request. I then have a lambda which i call via the api gateway.
So when i now call the gateway passing the accesstoken as generated from iam when logging in it throws an error
{
"message": "Unauthorized"
}
I thought it might have been the gateway but it actually hits the lambda as i did console log in there. So not sure how else i can check what it can be.
I am using Lambda proxy integration.
Any tips?
Cheers
I am brand new to AWS API Gateway/AWS Lambda/AWS Amplify. I have a React Native application that I am trying to use AWS Amplify to make an API call and issue a PUT request, which would then cause the API Gateway to invoke my AWS Lambda function. When I create the AWS Amplify API endpoint, I don't see a command line option to define a PUT method. The default is "Any", which works, but I would like to specify a PUT method specifically. When I add in a PUT method manually on the API Gateway website and then call it from my React Native front end, I get...
Error: Request failed with status code 500
Looking at the API Gateway responses, this is due to either an "Authorizer Configuration Error" or an "Authorizer Failure", so I am assuming the problem is not with my front end code but with the configuration of "authorizers" on the API Gateway. What are authorizers? How do they relate to making an API call? And what steps can I take to troubleshoot what the problem might be?
You can use a lambda, a Cognito User Pool or an IaM role as an Authorizer. The short version is that your API endpoints can either be open and public or have an Authorizer, if they have an authorizer then they have to be setup correctly. It is set through the API Gateway config for an endpoint in the Method Request section.
AWS Lambda authorizer info:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
AWS Cognito Info:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
I have created an api gateway with AWS_IAM authentication. I need to access that api gateway so created one user with giving AmazonAPIGatewayInvokeFullAccess policy to that user.
but i am not able to call that api. Getting error as
"user arn:aws:iam::######:user/username is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:region:####:#####/stage/method/path"
Where as when i go to aws console and try to simulate that policy it is allowing me to invoke that api.
I tried https://www.youtube.com/watch?v=KXyATZctkmQ . But its not working. Please let me know if anyone has gone through it and tried something to solve this before. Thanks