Serverless, AWS API Gateway and Authentication
Just a note2self really.
Setting up Auth was super easy
As seen below I had to add to my serverless.yml authorizer
addQuote:
handler: quote/handler.add
events:
- http:
path: quote
method: post
cors: true
authorizer: aws_iam
authorizer: aws_iam
From here I then needed, in this case Postman, to pass an AWS KEY and SECRET made for this app.
When making the user I attached this Policy to the user
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:us-east-1:AWS_ID:*/dev/POST/quote"
}
]
}
I an easily make this in the serverless.yml
file by adding the following:
resources:
Resources:
s3Data:
Type: AWS::S3::Bucket
Properties:
BucketName: "${self:custom.bucket}"
VersioningConfiguration:
Status: Enabled
quotePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: "serverless-quotes-policy-${opt:stage, self:provider.stage}"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "execute-api:Invoke"
Resource: "arn:aws:execute-api:#{AWS::Region}:#{AWS::AccountId}:*/${opt:stage, self:provider.stage}/POST/quote"
Users:
- "serverless-quotes-${opt:stage, self:provider.stage}"
DependsOn:
- authUser
userKey:
Type: AWS::IAM::AccessKey
Properties:
UserName: "serverless-quotes-${opt:stage, self:provider.stage}"
DependsOn:
- authUser
authUser:
Type: AWS::IAM::User
Properties:
UserName: "serverless-quotes-${opt:stage, self:provider.stage}"
Outputs:
UserSecret:
Description: The user secret
Value:
"Fn::GetAtt": [ userKey, SecretAccessKey ]
UserKey:
Description: The user key
Value:
"Ref": userKey
This is after adding serverless-pseudo-parameters
plugin, see link below.
Now when I run sls deploy --stage dev
I get the User, IAM, Key and Secret (via the webui output), then I need to access this url.
That was it. With serverless.com I could have limited stage, production builds to the unique user per stack as well.
Links
https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html
https://serverless.com/framework/docs/providers/aws/guide/serverless.yml/#serverlessyml-reference