This guide exists for RestAPIs: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-lambda-authorizer-cross-account-lambda-authorizer.html
This guide exists for WebSocket, but doesn't cover cross-account: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-lambda-auth.html
I am using Serverless Framework v3.36.0, and trying to define an externally managed authorizer lambda that exists in a different account on my org, same region.
My serverless.yml, works fine with this:
connection_manager:
handler: functions/connection/handler.connection_manager
events:
- websocket:
route: $connect
- websocket:
route: $disconnect
But since I want an external authorizer, I changed it to this:
connection_manager:
handler: functions/connection/handler.connection_manager
events:
- websocket:
route: $connect
authorizer:
arn: arn:aws:lambda:us-east-2:IDTHATOWNSAUTHORIZERLAMBDA:function:ITSNAMEHERE
identitySource:
- 'route.request.header.my-custom-attribute'
- websocket:
route: $disconnect
And I end up getting this when I run sls deploy:
Error:
CREATE_FAILED: ITSNAMEHEREauthorizerLambdaPermissionWebsockets (AWS::Lambda::Permission)
Resource handler returned message: "Unable to determine service/operation name to be authorized (Service: Lambda, Status Code: 403, Request ID: )" (RequestToken: , HandlerErrorCode: GeneralServiceException)
I removed RequestToken/ID in case they are sensitive, not sure.
The above is referring to this in the auto-generated CloudFormation script:
"ITSNAMEHEREauthorizerLambdaPermissionWebsockets": {
"Type": "AWS::Lambda::Permission",
"DependsOn": [
"WebsocketsApi"
],
"Properties": {
"Action": "lambda:InvokeFunction",
"Principal": "apigateway.amazonaws.com",
"FunctionName": "arn:aws:lambda:us-east-2:IDTHATOWNSAUTHORIZERLAMBDA:function:ITSNAMEHERE"
}
},
By deploying a version that doesn't have the additions that causes the error in serverless, I can get the stack to create. Then, if I follow instructions here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-lambda-authorizer-cross-account-lambda-authorizer.html
I can get the authorizer to be hit cross-account! The problem with this setup though is that everytime I deploy I believe I'll have to repeat these steps in the AWS gui (create authorizer, set authorizer in route request settings, etc)
So how can I do a cross-account lambda authorizer for my websocket api using serverless.yml?
Hi Jagan, does this policy seem correct?
aws lambda add-permission
--function-name "arn:aws:lambda:us-east-2:AccountIdForTheAccountThatHasExternalAuthorizer:function:AuthorizerNameGoesHere"
--source-arn "arn:aws:execute-api:us-east-2:MyAccountIdHereContainingTheServerlessApp:*"
--principal apigateway.amazonaws.com
--statement-id "GrantAPIGatewayCrossAccountInvokePermission"
--action lambda:InvokeFunction
Looking into the other things, but if the second thing you mentioned needs to be manually done outside of serverless framework per-deploy, i fear it defeats my purpose