[aws-apigateway] impossible to remove default method authorization
See original GitHub issueIt seems not possible to remove authorization for API Gateway methods if it is defined in defaultMethodOptions
on RestApi
level.
Reproduction Steps
First I create RestApi Gateway (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html) with custom authorizer set by default for all methods:
var apiGw = RestApi.Builder.create(scope, "Stack-RestApi")
.defaultMethodOptions(MethodOptions.builder()
.apiKeyRequired(Boolean.FALSE)
.authorizationType(AuthorizationType.CUSTOM)
.authorizer(authorizer)
.build())
...
And then in resources stack I try to create documentation Method (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.Method.html) with security disabled:
Method.Builder builder = Method.Builder.create(scope, "Stack-ApiInfoMethodGET")
.options(MethodOptions.builder()
.apiKeyRequired(Boolean.FALSE)
.authorizationType(AuthorizationType.NONE)
.authorizer(null) // tried to reset authorizer also
.build())
...
Error Log
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:1.6.0:java (default-cli) on project cdk-stacks: An exception occured while executing the Java class. Stack-ApiGwResource/Stack-ApiInfoResource/GET - Authorization type is set to NONE which is different from what is required by the authorizer [CUSTOM]
[ERROR] Error: Stack-ApiGwResource/Stack-ApiInfoResource/GET - Authorization type is set to NONE which is different from what is required by the authorizer [CUSTOM]
[ERROR] at new Method (/tmp/jsii-kernel-TH8eSk/node_modules/@aws-cdk/aws-apigateway/lib/method.js:27:19)
[ERROR] at /tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7906:49
[ERROR] at Kernel._wrapSandboxCode (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:8382:19)
[ERROR] at Kernel._create (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7906:26)
[ERROR] at Kernel.create (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7650:21)
[ERROR] at KernelHost.processRequest (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7439:28)
[ERROR] at KernelHost.run (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7377:14)
[ERROR] at Immediate._onImmediate (/tmp/jsii-java-runtime16647868641746308035/jsii-runtime.js:7380:37)
[ERROR] at processImmediate (internal/timers.js:456:21)
Environment
- CLI Version : 1.47.0
- Framework Version: 1.47.0
- Node.js Version: v12.18.1
- OS : Ubuntu Linux
- Language (Version): Java 11
Other
It is still possible to override these setting as described in https://github.com/aws/aws-cdk/issues/8615
var cfnMethod = (CfnMethod) method.getNode().getDefaultChild();
cfnMethod.addPropertyOverride("ApiKeyRequired", false);
cfnMethod.addPropertyOverride("AuthorizationType", "NONE");
cfnMethod.addPropertyDeletionOverride("AuthorizerId");
and then stack is created with correct Method-level security settings.
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:8
- Comments:9 (3 by maintainers)
Top Results From Across the Web
aws-cdk/aws-apigateway module - AWS Documentation
Invoking the endpoint with any HTTP method ( GET , POST , PUT , DELETE , . ... It is possible to choose...
Read more >REST API (API Gateway v1) - Serverless Framework
The Framework uses the lambda-proxy method (i.e., everything is passed into your Lambda) by default unless another method is supplied by the user....
Read more >aws_api_gateway_authorizer | Resources | hashicorp/aws
Authorization . ... Possible values are TOKEN for a Lambda function using a single authorization ... AWS API Gateway Authorizer can be imported...
Read more >awsapigateway - Go Packages
If you specify `TOKEN` for the authorizer's `Type` property, specify a Lambda function URI that has the form `arn:aws:apigateway: *region* :lambda:path/ ...
Read more >Configuring AWS API Gateway | Crosswalk - Pulumi
Implement standard HTTP methods such as GET , POST , PUT , PATCH , and DELETE . Each API Gateway instance defines a...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@mattsenior absolutely right, probably fool moon on top of my JS syntax ignorance 😉
facing the same issue as well with IAM:
this is the part of code that does the check: https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apigateway/lib/method.ts#L187-L198
and this is the test that covers it: https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apigateway/test/method.test.ts#L700-L716
I’m trying to understand the reason of enforcing all route to use the “default authorizer” while API Gateway does allow to have a route that uses Cognito and another one that uses IAM (eg. for internal services for example).
I think the only check that makes sense to do is the one covered by this other test: https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apigateway/test/method.test.ts#L685-L698