SAM Template - API Authorizor to use existing Cognito User Pool

妖精的绣舞 提交于 2021-02-11 18:20:19

问题


UPDATE: Thanks for the help!

I've updated the template.yml to include the Authorizer, but I'm getting an error still:

  HelloWorldApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Cors: "'*'"
      # Auth:
      #   DefaultAuthorizer: MyCognitoAuthorizer
      #   Authorizers:
      #     MyCognitoAuthorizer:
      #       UserPoolArn: arn:aws:cognito-idp:us-east-1:719235216593:userpool/my-user-pool-id



  HelloWorldFunction:
    Properties:
      CodeUri: hello-world/
      Handler: app.lambdaHandler
      Runtime: nodejs10.x
      Events:
        HelloWorld:
          Type: Api 
          Properties:
            RestApiId: !Ref HelloWorldApi
            Path: /hello
            Method: get

  MyCognitoAuthorizer: 
    Type: AWS::ApiGateway::Authorizer
    Properties:
      Name: MyAuthorizer
      Type: COGNITO_USER_POOLS
      RestApiId: !Ref HelloWorldApi
      ProviderARNs:
        - arn:aws:cognito-idp:us-east-1:719235216593:userpool/my-user-pool-id

However, I'm now getting the following when trying to create the stack:

The following resource(s) failed to create: [MyCognitoAuthorizer, HelloWorldApiDeploymentbc8438953d, HelloWorldFunctionHelloWorldPermissionProd]. . Rollback requested by user.

I did not specify the rollback, and I can't determine what is wrong in my authorizer?


ORIGINAL

I have built multiple lambdas, each having their own Api Gateway. I'm using SAM CLI to do this, and each lambda is its own project and has it's own Template.yml file describing the infrastructure.

Below is an example templay.yml:

AWSTemplateFormatVersion: '2011-09-09'
Transform: AWS::Serverless-2016-10-31

Resources:
    # Avoid 'implicit API' creation via SAM by explicitly defining one
    HelloWorldApi:
        Type: AWS::Serverless::Api
        Properties:
          StageName: Prod
          Cors: "'*'"


    HelloWorldFunction:
        Type: AWS::Serverless::Function 
        Properties:
          CodeUri: hello-world/
          Handler: app.lambdaHandler
          Runtime: nodejs10.x
          Events:
            HelloWorld:
              Type: Api 
              Properties:
                RestApiId: !Ref HelloWorldApi # reference defined API
                Path: /hello
                Method: get

I would now like to provide authentication for each lambda. However, I would like all the lambdas to use the same Cognito User pool. I've seen many examples that create the associated userpool with the lambda, but in this case I would end up with a new userpool for every lambda.

Is there a way I can specify within the template.yml the ARN of an existing userpool I created via the AWS console?

Note: I'm not very familiar with CloudFormation syntax, so it's preferable if this is doable with the SAM CLI template syntax.l


回答1:


Existing resources created outside of CloudFormation can be referenced in templates by simply hardcoding the desired identifier (ARNs in this case):

    Authorizer:
      Type: AWS::ApiGateway::Authorizer
      Properties:
        Type: COGNITO_USER_POOLS
        RestApiId: !Ref HelloWorldApi
        ProviderARNs:
          - # hardcoded Cognito User Pool ARN

AWS::ApiGateway::Authorizer documentation

Cognito User Pool ARN format


You should be able to find your Cognito User Pool's ARN on Cognito's console




回答2:


You should be able to specify the Authorizer in the API template:

  HelloWorldApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Cors: "'*'"
      Auth:
        DefaultAuthorizer: MyCognitoAuthorizer
        Authorizers:
          MyCognitoAuthorizer:
            UserPoolArn: !Ref MyCognitoUserPoolArn

  HelloWorldFunction:
    Properties:
      CodeUri: hello-world/
      Handler: app.lambdaHandler
      Runtime: nodejs10.x
      Events:
        HelloWorld:
          Type: Api 
          Properties:
            RestApiId: !Ref HelloWorldApi
            Path: /hello
            Method: get

Have you looked at this sample?

https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-controlling-access-to-apis.html#serverless-controlling-access-to-apis-cognito-user-pool



来源:https://stackoverflow.com/questions/60030613/sam-template-api-authorizor-to-use-existing-cognito-user-pool

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!