By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Websocket Authorizer Status 500

0

EDIT: MARKED AS SOLVED. ANSWER AT BOTTOM!

Hi,

Trying to get POC going to authenticate a web socket $connect. Using .net examples, but when the authorizer lambda is returned to the $connect, the status is 500.

  1. The web socket is functional without authorizer.
    Below is the successful Cloudwatch log entry:
{
    "requestId": "QBs88GlriYcFrew=",
    "ip": "<SOME IP>",
    "caller": "-",
    "user": "-",
    "requestTime": "21/Jul/2020:14:01:03 +0000",
    "eventType": "CONNECT",
    "routeKey": "$connect",
    "status": "200",
    "connectionId": "QBs88fnviYcCHTg=",
    "principalId": "-"
}
  1. When I add the authrorizer, the above entry changes to status 500:
{
    "requestId": "QBbzsG1FiYcF7dA=",
    "ip": "<SOME IP>",
    "caller": "-",
    "user": "-",
    "requestTime": "21/Jul/2020:12:04:01 +0000",
    "eventType": "CONNECT",
    "routeKey": "$connect",
    "status": "500",
    "connectionId": "QBbzscLSiYcCJOA=",
    "principalId": "-"
}
  1. The AuthPolicy returned by the lambda (serialized by me to json). This lambda executes without exceptions :
{
    "principalId": "testuser",
    "policyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": "execute-api:Invoke",
                "Effect": "Allow",
                "Resource": "arn:aws:execute-api:us-east-2:<ACC>:<APP>/Prod/$connect"
            }
//Second one added to test. Don't think this is needed.
,
            {
                "Action": "execute-api:Invoke",
                "Effect": "Allow",
                "Resource": "arn:aws:execute-api:us-east-2:<ACC>:<APP>/Prod/POST/@connections"
            }
        ]
    }
}

Authorizer lambda executes with role which has 'AWSFullLambdaAccess'.

So, it appears if the authorize lambda is called before the $connect, and executed, but I cannot get the $connect in the web socket past the 500 status code. I also hardcoded the authorize lambda to always be 'true', for the test. Also, I'm not sure if the actual principalId, should be a valid Cognito user. Currently it is, but I have no further authentication in the Authorizer lambda.

It appears if the status 500 results in the $connect connect lambda call never being executed.

Any help appreciated.

Solution

Ok. Found my answer.
https://stackoverflow.com/questions/41451582/c-sharp-implementation-of-aws-api-gateway-custom-authorization-lambda

My implementation of the authorizer lambda had custom classes returned as AuthPolicy, similar in answer to question in thread above in StackOverflow.

When I read it again, I tried to use the Amazon.Lambda.APIGatewayEvents Nuget package, with it's own response classes, which resulted in a different looking JSON structure than the one I posted above. The Authorizer function posted by Aaron Hudson worked for me now.

The resulting JSON from the APIGatewayCustomAuthorizerResponse looks like below, compared to the one above:

{
    "principalId": "testuser",
    "policyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "execute-api:Invoke"
                ],
                "Resource": [
                    "arn:aws:execute-api:us-east-2:<ACC>:<APPID>/Prod/$connect"
                ]
            }
        ]
    },
    "context": null,
    "usageIdentifierKey": null
}

Hope this might help someone.

Edited by: Rigalo on Jul 22, 2020 12:24 AM

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
Rigalo
asked 4 years ago623 views
3 Answers
1

The "Action" property as an array was key to solving this, and specifically using the "$connect" string.

Here is what is working for me (with some values modified for privacy) and comments added.

Note: I am using the AWS Gateway V2 API, websocket protocol, Cognito with no users (only an App client).

{
    "principalId": "7p9f415hnxxbfbch17jnaenccs", // this is the "App client ID" from the App integration section of Cognito
    "policyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [  // <--- this must be an array
                    "execute-api:Invoke"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:execute-api:us-east-1:321987567111:1c9kv22z8g/stage-devwarren2/$connect"
                ]
            }
        ]
    },
    "context": null,
    "usageIdentifierKey": null
}
warrenstephens
answered 4 years ago
0

I am fighting with a lambda authorizer also -- getting 403 and 500 errors.

My return AuthPolicy looks just like yours, but I also do not know what to use in the "principalId" field. Have tried lots of stuff.

I have a "test" App Client in my Cognito pool, but I have no users.

What bugs me at this point is that there appears to be no way to add debugging information -- 403 "User is not authorized to access this resource" is not what my lambda returns! Whatever code generates that response should allow for some debugging info in the log output.

warrenstephens
answered 4 years ago
0

So "Action" is an array.

Is <APPID> there actually supposed to be <APIID> ?

warrenstephens
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content