Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Can I use a wildcard for the HTTP verb with a specific resource path in the response from a lambda authorizer in API Gateway for a REST API?

0

I'm working on a lambda authorizer for a REST API in API Gateway that uses scopes in a JWT access tokens to determine what resources are available in the API. As I look closer at the specified ARN format for the response, I see that the HTTP-VERB is part of the last colon-delimited segment.

arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier

If I use a wildcard * for the verb, can I still specify a specific resource? I see some comments about wildcards greedily matching everything to the right within a segment, but I'm not sure what the boundary is.

I would like to do something like this:

arn:aws:execute-api:region:account-id:api-id/stage-name/*/foo/bar/*

to allow allow all methods for all sub-resources of /foo/bar/, but disallow access to any direct resources of /foo/.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayIAM Policies
Language
English
asked 2 years ago1.1K views
3 Answers
1
Accepted Answer

This can indeed be done as specified in this documentation. Should you use the following resource arn:aws:execute-api:region:account-id:api-id/stage-name/*/foo/bar/* the policy will apply to all methods under sub-resources of /foo/bar/. For example, an allow there in authorizer policy will not allow methods under /foo, only for sub-resources under /foo/bar/.

Using a wildcard * for the http verb segment won't have an impact on later resource segment unless it is the last segment. Only the * in last segment in this example will match everything to right. Do refer to example resource expressions here for details.

AWS
SUPPORT ENGINEER
answered 2 years ago
EXPERT
reviewed 2 years ago
  • rePost-User-8634846
    2 years ago

    Okay, thanks! So, per the examples, it looks like in the format arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier it is possible to use a wildcard in place of stage-name and/or HTTP-VERB and still specify resource-path-specifier which may also include a wildcard at the end.

    Is it possible, then, to also use multiple wildcards in the resource-path-specifier? For example, could I use a wildcard to match a path variable in my API Gateway resource - e.g. /foo/bar/*/allowed would allow access to /foo/bar/{id}/allowed but deny access to any other sub-resource of /foo/bar/{id}/?

  • Abhilash_K SUPPORT ENGINEER
    2 years ago

    /foo/bar/*/allowed should work as you expect, allowing allowed sub-resource but implicitly denying other sub-resources

1

Yes you can. See the second example here.

AWS
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
0

Is there a way to provide a wildcard that matches only a single path element? For example, I would like to allow access to /user/{userId} (for all values of userId), but NOT access to /user/{userId}/sensitive.

unfortunately: arn:aws:execute-api:region:account-id:api-id/stage-name/GET/user/*

seems to also allow: arn:aws:execute-api:region:account-id:api-id/stage-name/GET/user/*/sensitive

I would like to be able to authorize my users with explicit allows for specific endpoints (including REST paths with path variables matching either any value of the variable or specific values) and implicit denies for any endpoints not explicitly identified in the policy.

AWS PLEASE make a wildcard for resources that matches only a single path element.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content