Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-apigateway] impossible to remove default method authorization

See original GitHub issue

It seems not possible to remove authorization for API Gateway methods if it is defined in defaultMethodOptions on RestApi level.

Reproduction Steps

First I create RestApi Gateway (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html) with custom authorizer set by default for all methods:

        var apiGw = RestApi.Builder.create(scope, "Stack-RestApi")
                .defaultMethodOptions(MethodOptions.builder()
                        .apiKeyRequired(Boolean.FALSE)
                        .authorizationType(AuthorizationType.CUSTOM)
                        .authorizer(authorizer)
                        .build())
...

And then in resources stack I try to create documentation Method (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.Method.html) with security disabled:

        Method.Builder builder = Method.Builder.create(scope, "Stack-ApiInfoMethodGET")
                .options(MethodOptions.builder()
                        .apiKeyRequired(Boolean.FALSE)
                        .authorizationType(AuthorizationType.NONE)
                        .authorizer(null) // tried to reset authorizer also
                        .build())
...

Error Log

[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:1.6.0:java (default-cli) on project cdk-stacks: An exception occured while executing the Java class. Stack-ApiGwResource/Stack-ApiInfoResource/GET - Authorization type is set to NONE which is different from what is required by the authorizer [CUSTOM]
[ERROR] Error: Stack-ApiGwResource/Stack-ApiInfoResource/GET - Authorization type is set to NONE which is different from what is required by the authorizer [CUSTOM]
[ERROR]     at new Method (/tmp/jsii-kernel-TH8eSk/node_modules/@aws-cdk/aws-apigateway/lib/method.js:27:19)
[ERROR]     at /tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7906:49
[ERROR]     at Kernel._wrapSandboxCode (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:8382:19)
[ERROR]     at Kernel._create (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7906:26)
[ERROR]     at Kernel.create (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7650:21)
[ERROR]     at KernelHost.processRequest (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7439:28)
[ERROR]     at KernelHost.run (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7377:14)
[ERROR]     at Immediate._onImmediate (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7380:37)
[ERROR]     at processImmediate (internal/timers.js:456:21)

Environment

CLI Version : 1.47.0
Framework Version: 1.47.0
Node.js Version: v12.18.1
OS : Ubuntu Linux
Language (Version): Java 11

Other

It is still possible to override these setting as described in https://github.com/aws/aws-cdk/issues/8615

        var cfnMethod = (CfnMethod) method.getNode().getDefaultChild();
        cfnMethod.addPropertyOverride("ApiKeyRequired", false);
        cfnMethod.addPropertyOverride("AuthorizationType", "NONE");
        cfnMethod.addPropertyDeletionOverride("AuthorizerId");

and then stack is created with correct Method-level security settings.

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:8
Comments:9 (3 by maintainers)

Top GitHub Comments

1reaction

erik-sabcommented, Oct 5, 2020

@mattsenior absolutely right, probably fool moon on top of my JS syntax ignorance 😉

0reactions

mirgjcommented, Nov 25, 2022

facing the same issue as well with IAM:

Authorization type is set to AWS_IAM which is different from what is required by the authorizer [COGNITO_USER_POOLS]

this is the part of code that does the check: https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apigateway/lib/method.ts#L187-L198

and this is the test that covers it: https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apigateway/test/method.test.ts#L700-L716

I’m trying to understand the reason of enforcing all route to use the “default authorizer” while API Gateway does allow to have a route that uses Cognito and another one that uses IAM (eg. for internal services for example).

I think the only check that makes sense to do is the one covered by this other test: https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apigateway/test/method.test.ts#L685-L698

Top Results From Across the Web

aws-cdk/aws-apigateway module - AWS Documentation

Invoking the endpoint with any HTTP method ( GET , POST , PUT , DELETE , . ... It is possible to choose...

REST API (API Gateway v1) - Serverless Framework

The Framework uses the lambda-proxy method (i.e., everything is passed into your Lambda) by default unless another method is supplied by the user....

aws_api_gateway_authorizer | Resources | hashicorp/aws

Authorization . ... Possible values are TOKEN for a Lambda function using a single authorization ... AWS API Gateway Authorizer can be imported...

awsapigateway - Go Packages

If you specify `TOKEN` for the authorizer's `Type` property, specify a Lambda function URI that has the form `arn:aws:apigateway: *region* :lambda:path/ ...

Configuring AWS API Gateway | Crosswalk - Pulumi

Implement standard HTTP methods such as GET , POST , PUT , PATCH , and DELETE . Each API Gateway instance defines a...