amplify-cli icon indicating copy to clipboard operation
amplify-cli copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

create custom authorizer within CLI - manually created authorizer will be overwritten

Open blomm opened this issue 6 years ago • 24 comments

Is your feature request related to a problem? Please describe.

Yes, I am unable to configure a custom authorizer (cognito) with the CLI, and also unable to use the CLI to set my api gateway to use COGNITO_USER_POOLS

Describe the solution you'd like something similar to the suggestion in this closed (inactivity) issue: https://github.com/aws-amplify/amplify-js/issues/1702

Authorizer: Name: CustomerCognitoAuthorizer Type: COGNITO_USER_POOLS ProviderARNs: - !Ref CustomerCognitoPoolARN IdentitySource: "method.request.header.Authorization"

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context I've tried to manually created the "custom authorizer", but every time I amplify push it will get overwritten/removed.

amplify-API docs mention:

"Cognito User Pools Authorization You can use the JWT token provided by the Authentication API to authenticate against API Gateway directly when using a custom authorizer." . ..but I can't find a way to create this custom authorizer in the CLI. Am I just going about this the wrong way??

blomm avatar Nov 04 '19 13:11 blomm

thanks @Ashish5591, surely it must be possible to use COGNITO_USER_POOLS with the cli? do you know what I'm doing wrong?

blomm avatar Nov 05 '19 07:11 blomm

any thoughts @attilah ?

blomm avatar Nov 07 '19 12:11 blomm

@blomm At the moment, the CLI doesn't support Cognito custom authorizers out of the box. (although you can modify the APIGW Cloudformation tempalte and manage it yourself). Having said that, the CLI does support IAM authorization which works well with Cognito Idenity and user pools.

kaustavghosh06 avatar Nov 07 '19 19:11 kaustavghosh06

thanks very much @kaustavghosh06 , can you steer me towards some documentation on implementing this?

blomm avatar Nov 30 '19 08:11 blomm

@kaustavghosh06 I've investigated rolling my own cloudformation template for Custom Authorizer, and it's way too complicated. I'm just going to end up breaking my existing amplify-generated template. The other option of using IAM is not much easier: I'm roughly following this: fine-grained authorization using Amazon Cognito User Pools groups The user pool and identity pool get created for me with auth in Amplify.

Correct me if I'm wrong but I need to then manually do the following:

  1. Create Policy that says what/how a user can query dynamo tables
"Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb:eu-west-1:<account-id>:table/<my-table>"
            ]
  1. Create Role, add above policy to this role.
  2. Create Cognito Group (myGroup), attach above Role to Group
  3. Attach myGroup to desired cognito users

I've done all the above, I log in with a cognito user who belongs to myGroup and now I'm trying to pass my auth token from the frontend to api-gateway:

  • on the frontend I call Auth.currentSession() which returns currentUser

  • I add to my Headers a Authorization property and set to currentUser.getIdToken().getJwtToken()

When I decode my jwt token, I can see that my user belongs to the group myGroup But my attempts to call my api-gateway endpoint result in 403's.

So, I dig a bit more and I find out that:

when you change to use AWS_IAM as the authorizer for your API Gateway method the request must now contain specific amazon headers and not just Authorization header.

Is there some documentation on how amplify creates and implements the necessary signed header for us?

blomm avatar Dec 02 '19 17:12 blomm

Hi @kaustavghosh06, Do you know if anyone on your side is currently working on supporting custom authorizers (with cognito user pools)? I'm probably going to need to abandon Amplify and switch to using Serverless (where custom authorizers works very well) until this has been implemented.

blomm avatar Dec 04 '19 15:12 blomm

We are currently stuck with the same issue. We currently configure the authorizer and the gateway by hand but we have to redo it every time we add a new path as that overwrite the configuration. I'm now investigating editing the cloudformation templates manually. Is there any example for how to do that? Doing it with the API would preferred though to avoid conflicts with changes done by amplify.

steffengr avatar Dec 05 '19 07:12 steffengr

Hi @steffengr, For documentation, I found this link below, and started to have have a crack at rolling my own cloud-formation template, but I've found the amplify cloud-formation stuff to be like a house of cards (the amount of times I've started my backend over again from scratch), so I'm frightened to touch it. If you figure it out, let me know please, and also as I said, Serverless implements it really easily, a few lines in the yml file, and you're good. So it's possible to just use Amplify for storage or auth and leave the api-gateway / lambda scaffolding work with Serverless. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html

blomm avatar Dec 05 '19 08:12 blomm

Thanks for the report @blomm & @steffengr ! This looks quite involved as it stands. Is there any update on this @UnleashedMind & team? Is this in the roadmap at all ?

Cheers,

Kyle

kylekirkby avatar Feb 25 '20 23:02 kylekirkby

Thanks @kylekirkby , Serverless support this custom authorizer directly from the yml file, so it shouldn't be too big a task, just a matter of setting up the code to generate the cloudformation, and add this as a step in the cli

blomm avatar Feb 26 '20 06:02 blomm

@attilah @kaustavghosh06 any idea if this is doable? Would be awesome to have Lambda Authorizers added so we can provide a custom lambda function for authenticating users. I've got a SaaS product which creates multiple API keys for users projects and currently I'm doing the lookup of the API key via the lambda function that does the business logic. I'd love to be able to separate this logic out for checking if their API key is valid so this can be re-used easily across functions.

kylekirkby avatar Jun 17 '20 07:06 kylekirkby

Same issue here. Appreciate sharing any ETA on this.

nguyenan avatar Dec 16 '20 04:12 nguyenan

@attilah @kaustavghosh06 @powerful23 @dabit3, can you use any of your special powers to get this issue expedited?

kylekirkby avatar Dec 16 '20 08:12 kylekirkby

Hey @kylekirkby, checking on this now.

dabit3 avatar Dec 22 '20 20:12 dabit3

It's such a huge issue how is this not a priority?

neilellis avatar Jun 14 '21 16:06 neilellis

Is this issue not a priority @dabit3? Like @steffengr, our team is currently just manually updating the authorizers every time we make a change to our API and deploy to our prod environment. This seems like an oversight and one should be able to configure custom authorizors via the CLI in some way.

renellc avatar Oct 29 '21 16:10 renellc

+1

spc16670 avatar Dec 11 '21 11:12 spc16670

+1

merlindemon avatar Jan 27 '22 02:01 merlindemon

+1

nikhuber avatar Jan 30 '22 10:01 nikhuber

+1

tusil avatar Feb 13 '22 13:02 tusil

+1

samuelrbrt avatar Jul 19 '22 06:07 samuelrbrt

It's been 3 years, any updates on this?

jk171505 avatar Nov 07 '22 20:11 jk171505

This issue along with not being able to pull manual console changes is just ridiculous. This project could have been something great.

tunstek avatar Jan 12 '23 11:01 tunstek

I know its not a CLI integration but you can create an api override specifically for this issue in this article.

https://docs.amplify.aws/javascript/build-a-backend/restapi/override-api-gateway/

dklein1211 avatar Jan 11 '24 23:01 dklein1211