Serverless, AWS API Gateway and Authentication

Posted: 2017-07-18 00:31:25

Just a note2self really.

Setting up Auth was super easy

As seen below I had to add to my serverless.yml authorizer

  addQuote:
    handler: quote/handler.add
    events:
      - http:
          path: quote
          method: post
          cors: true
          authorizer: aws_iam

authorizer: aws_iam

From here I then needed, in this case Postman, to pass an AWS KEY and SECRET made for this app.

When making the user I attached this Policy to the user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": "arn:aws:execute-api:us-east-1:AWS_ID:*/dev/POST/quote"
        }
    ]
}

I an easily make this in the serverless.yml file by adding the following:


resources: Resources: s3Data: Type: AWS::S3::Bucket Properties: BucketName: "${self:custom.bucket}" VersioningConfiguration: Status: Enabled quotePolicy: Type: AWS::IAM::Policy Properties: PolicyName: "serverless-quotes-policy-${opt:stage, self:provider.stage}" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "execute-api:Invoke" Resource: "arn:aws:execute-api:#{AWS::Region}:#{AWS::AccountId}:*/${opt:stage, self:provider.stage}/POST/quote" Users: - "serverless-quotes-${opt:stage, self:provider.stage}" DependsOn: - authUser userKey: Type: AWS::IAM::AccessKey Properties: UserName: "serverless-quotes-${opt:stage, self:provider.stage}" DependsOn: - authUser authUser: Type: AWS::IAM::User Properties: UserName: "serverless-quotes-${opt:stage, self:provider.stage}" Outputs: UserSecret: Description: The user secret Value: "Fn::GetAtt": [ userKey, SecretAccessKey ] UserKey: Description: The user key Value: "Ref": userKey

This is after adding serverless-pseudo-parameters plugin, see link below.

Now when I run sls deploy --stage dev I get the User, IAM, Key and Secret (via the webui output), then I need to access this url.

That was it. With serverless.com I could have limited stage, production builds to the unique user per stack as well.

Links

https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html

https://serverless.com/framework/docs/providers/aws/guide/serverless.yml/#serverlessyml-reference