serverless-application-model icon indicating copy to clipboard operation
serverless-application-model copied to clipboard

Published 20 hours ago verified publisher icon aws

Invoke with caller credentials always set when Authorizer = AWS_IAM

Open hashitha opened this issue 4 years ago • 3 comments

I have the following template (default Empty Serverless Application template from AWS Visual Studio Toolkit) that always sets the Invoke with caller credentials to true and Execution role = arn:aws:iam::*:user/* when Authorizer = AWS_IAM in the template. Is there any way I can remove the Execution role and set Invoke with caller credentials = false?

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Transform": "AWS::Serverless-2016-10-31",
  "Description": "An AWS Serverless Application.",
  "Resources": {
    "Get": {
      "Type": "AWS::Serverless::Function",
      "Properties": {
        "Handler": "AWSServerless6::AWSServerless6.Functions::Get",
        "Runtime": "dotnetcore3.1",
        "CodeUri": "",
        "MemorySize": 256,
        "Timeout": 30,
        "Role": null,
        "Policies": [
          "AWSLambdaBasicExecutionRole"
        ],
        "Events": {
          "RootGet": {
            "Type": "Api",
            "Properties": {
              "Path": "/",
              "Method": "POST",
               "Auth": {
                "ApiKeyRequired": true,
                "Authorizer": "AWS_IAM" 
            }
          }
        }
      }
    }
  },
  "Outputs": {
    "ApiURL": {
      "Description": "API endpoint URL for Prod environment",
      "Value": {
        "Fn::Sub": "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
      }
    }
  }
}

This may be related to #923

hashitha avatar Sep 10 '20 08:09 hashitha 

  someFunc:
    Type: AWS::Serverless::Function
    Properties:
      Handler: dist/handlers/someFunc.index
      Events:
        Api:
          Type: Api
          Properties:
            Path: /foo/bar/{id}
            Method: POST
            Auth:
              Authorizer: AWS_IAM
              ResourcePolicy:
                # https://github.com/aws/serverless-application-model/issues/1708
                AwsAccountWhitelist:
                  - arn:aws:iam::111122223333:root

deploying this raises

CREATE_FAILED                                          AWS::ApiGateway::Deployment                            ServerlessRestApiDeploymente2518db414                  Caller provided credentials not allowed when
                                                                                                                                                                     resource policy is set (Service: AmazonApiGateway;
                                                                                                                                                                     Status Code: 400; Error Code: BadRequestException;
                                                                                                                                                                     Request ID: __REDACTED__;
                                                                                                                                                                     Proxy: null)

Removing Authorizer: AWS_IAM makes deployment successful, but it ruins resource policy since authrozer is not set.

yskkin avatar Sep 23 '20 07:09 yskkin

Is there any update on this yet?

ben-elsen avatar Nov 25 '21 10:11 ben-elsen

As answered here, adding InvokeRole: NONE successfully removes the Execution role and unset the Invoke with caller credentials option that seems to be set by default when a AWS_IAM auth is used.

Api:
   Type: AWS::Serverless::Api
   Properties:
      Auth:
         DefaultAuthorizer: AWS_IAM
         InvokeRole: NONE
      ...

eliottparis avatar Apr 25 '22 16:04 eliottparis