Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Can I use a wildcard for the HTTP verb with a specific resource path in the response from a lambda authorizer in API Gateway for a REST API?

0

I'm working on a lambda authorizer for a REST API in API Gateway that uses scopes in a JWT access tokens to determine what resources are available in the API. As I look closer at the specified ARN format for the response, I see that the HTTP-VERB is part of the last colon-delimited segment.

arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier

If I use a wildcard * for the verb, can I still specify a specific resource? I see some comments about wildcards greedily matching everything to the right within a segment, but I'm not sure what the boundary is.

I would like to do something like this:

arn:aws:execute-api:region:account-id:api-id/stage-name/*/foo/bar/*

to allow allow all methods for all sub-resources of /foo/bar/, but disallow access to any direct resources of /foo/.

Themen
ServerlosFrontend-Web & MobileVernetzung & Bereitstellung von InhaltenSicherheit, Identität & Konformität
Tags
Amazon API-GatewayIAM-Richtlinien
Sprache
English
emattheis
gefragt vor 5 Monaten320 Aufrufe
2 Antworten
1
Akzeptierte Antwort

This can indeed be done as specified in this documentation. Should you use the following resource arn:aws:execute-api:region:account-id:api-id/stage-name/*/foo/bar/* the policy will apply to all methods under sub-resources of /foo/bar/. For example, an allow there in authorizer policy will not allow methods under /foo, only for sub-resources under /foo/bar/.

Using a wildcard * for the http verb segment won't have an impact on later resource segment unless it is the last segment. Only the * in last segment in this example will match everything to right. Do refer to example resource expressions here for details.

AWS
SUPPORT-TECHNIKER
Abhilash_K
beantwortet vor 5 Monaten
profile picture
EXPERTE
Gary Mclean
überprüft vor 2 Monaten
  • emattheis
    vor 5 Monaten

    Okay, thanks! So, per the examples, it looks like in the format arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier it is possible to use a wildcard in place of stage-name and/or HTTP-VERB and still specify resource-path-specifier which may also include a wildcard at the end.

    Is it possible, then, to also use multiple wildcards in the resource-path-specifier? For example, could I use a wildcard to match a path variable in my API Gateway resource - e.g. /foo/bar/*/allowed would allow access to /foo/bar/{id}/allowed but deny access to any other sub-resource of /foo/bar/{id}/?

  • Abhilash_K SUPPORT-TECHNIKER
    vor 5 Monaten

    /foo/bar/*/allowed should work as you expect, allowing allowed sub-resource but implicitly denying other sub-resources

1

Yes you can. See the second example here.

profile pictureAWS
EXPERTE
Uri
beantwortet vor 5 Monaten
profile picture
EXPERTE
Gary Mclean
überprüft vor 2 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt