Serverless, AWS API Gateway and Authentication

Posted: 2017-07-18 00:31:25

Just a note2self really.

Setting up Auth was super easy

As seen below I had to add to my serverless.yml authorizer

  addQuote:
    handler: quote/handler.add
    events:
      - http:
          path: quote
          method: post
          cors: true
          authorizer: aws_iam

authorizer: aws_iam

From here I then needed, in this case Postman, to pass an AWS KEY and SECRET made for this app.

When making the user I attached this Policy to the user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": "arn:aws:execute-api:us-east-1:AWS_ID:*/dev/POST/quote"
        }
    ]
}

I an easily make this in the serverless.yml file by adding the following:


resources:
  Resources:
    s3Data:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: "${self:custom.bucket}"
        VersioningConfiguration:
          Status: Enabled
    quotePolicy:
      Type: AWS::IAM::Policy
      Properties:
        PolicyName: "serverless-quotes-policy-${opt:stage, self:provider.stage}"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            -
              Effect: "Allow"
              Action:
                - "execute-api:Invoke"
              Resource: "arn:aws:execute-api:#{AWS::Region}:#{AWS::AccountId}:*/${opt:stage, self:provider.stage}/POST/quote"
        Users:
          - "serverless-quotes-${opt:stage, self:provider.stage}"
      DependsOn:
        - authUser
    userKey:
      Type: AWS::IAM::AccessKey
      Properties:
        UserName: "serverless-quotes-${opt:stage, self:provider.stage}"
      DependsOn:
        - authUser
    authUser:
      Type: AWS::IAM::User
      Properties:
        UserName: "serverless-quotes-${opt:stage, self:provider.stage}"

  Outputs:
      UserSecret:
        Description: The user secret
        Value:
          "Fn::GetAtt": [ userKey, SecretAccessKey ]
      UserKey:
        Description: The user key
        Value:
          "Ref": userKey

This is after adding serverless-pseudo-parameters plugin, see link below.

Now when I run sls deploy --stage dev I get the User, IAM, Key and Secret (via the webui output), then I need to access this url.

That was it. With serverless.com I could have limited stage, production builds to the unique user per stack as well.

Links

https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html

https://serverless.com/framework/docs/providers/aws/guide/serverless.yml/#serverlessyml-reference

Tags:

serverless.com aws serverless