Invalid CloudFormation Template when use Custom Authorizer ARN
aleksdikanski opened this issue · comments
Hi,
I ran into an issue when using APIG custom authorizers, if the authorizers are not part of the project but are referenced by a ARN
Running serverless deploy
will fail with the following error due to invalid parts of the AuthorizerUrl
Serverless Error ---------------------------------------
An error occurred: RoleApiGatewayAuthorizerdev - Invalid Authorizer URI: :${stageVariables.SERVERLESS_ALIAS}arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789:function:authorizer/invocations.
Authorizer URI should be a valid API Gateway ARN that represents a Lambda function invocation..
As an example I have this service, which references a custom authorizer within the project:
#serverless.yml
functions:
authorize:
handler: com.serverless.Authorizer
create:
handler: com.serverless.CreateHandler
events:
- http:
path: /test
method: POST
authorizer: authorize
which results in the correct CF template
"AuthorizeApiGatewayAuthorizerdev": {
"Type": "AWS::ApiGateway::Authorizer",
"Properties": {
"IdentitySource": "method.request.header.Authorization",
"Name": "authorize-dev",
"RestApiId": {
"Ref": "ApiGatewayRestApi"
},
"AuthorizerUri": {
"Fn::Join": [
"",
[
"arn:aws:apigateway:",
{
"Ref": "AWS::Region"
},
":lambda:path/2015-03-31/functions/",
{
"Fn::GetAtt": [
"AuthorizeLambdaFunction",
"Arn"
]
},
":${stageVariables.SERVERLESS_ALIAS}",
"/invocations"
]
]
},
"Type": "TOKEN"
}
}
Using a referenced custom authorizer (which is supported by serverless framework) produce an erroneous CF template:
functions:
create:
handler: com.serverless.CreateHandler
events:
- http:
path: /test
method: POST
authorizer: arn:aws:lambda:${self:provider.region}:${opt:account}:function:authorize
“AuthorizeApiGatewayAuthorizerdev": {
"Type": "AWS::ApiGateway::Authorizer",
"Properties": {
"IdentitySource": "method.request.header.Authorization",
"Name": "authorize-dev",
"RestApiId": {
"Ref": "ApiGatewayRestApi"
},
"AuthorizerUri": {
"Fn::Join": [
"",
[
":${stageVariables.SERVERLESS_ALIAS}",
"arn:aws:apigateway:",
{
"Ref": "AWS::Region"
},
":lambda:path/2015-03-31/functions/",
"arn:aws:lambda:us-east-1:274712788788:function:authorize”,
"/invocations"
]
]
},
"Type": "TOKEN"
}
}
I also noticed null values in the DependsOn
section of the Permissions for the custom authorizer lambda, as well as a missing FunctionName
, which seem to stem from the similar cause as mentioned in #83
“AuthorizeLambdaPermissionApiGateway": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": {},
"Action": "lambda:InvokeFunction",
"Principal": "apigateway.amazonaws.com"
},
"DependsOn": [
null,
null
]
}
@aleksdikanski Good catch. I fully agree that referencing already existing authorizers should be possible and using authorizers that are referenced by only an ARN should be supported.
I will have a look at the PR soon.
Solved by #102