By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can I use a wildcard for the HTTP verb with a specific resource path in the response from a lambda authorizer in API Gateway for a REST API?

0

I'm working on a lambda authorizer for a REST API in API Gateway that uses scopes in a JWT access tokens to determine what resources are available in the API. As I look closer at the specified ARN format for the response, I see that the HTTP-VERB is part of the last colon-delimited segment.

arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier

If I use a wildcard * for the verb, can I still specify a specific resource? I see some comments about wildcards greedily matching everything to the right within a segment, but I'm not sure what the boundary is.

I would like to do something like this:

arn:aws:execute-api:region:account-id:api-id/stage-name/*/foo/bar/*

to allow allow all methods for all sub-resources of /foo/bar/, but disallow access to any direct resources of /foo/.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayIAM Policies
Language
English
emattheis
asked 4 months ago291 views
2 Answers
1
Accepted Answer

This can indeed be done as specified in this documentation. Should you use the following resource arn:aws:execute-api:region:account-id:api-id/stage-name/*/foo/bar/* the policy will apply to all methods under sub-resources of /foo/bar/. For example, an allow there in authorizer policy will not allow methods under /foo, only for sub-resources under /foo/bar/.

Using a wildcard * for the http verb segment won't have an impact on later resource segment unless it is the last segment. Only the * in last segment in this example will match everything to right. Do refer to example resource expressions here for details.

AWS
SUPPORT ENGINEER
Abhilash_K
answered 4 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • emattheis
    4 months ago

    Okay, thanks! So, per the examples, it looks like in the format arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier it is possible to use a wildcard in place of stage-name and/or HTTP-VERB and still specify resource-path-specifier which may also include a wildcard at the end.

    Is it possible, then, to also use multiple wildcards in the resource-path-specifier? For example, could I use a wildcard to match a path variable in my API Gateway resource - e.g. /foo/bar/*/allowed would allow access to /foo/bar/{id}/allowed but deny access to any other sub-resource of /foo/bar/{id}/?

  • Abhilash_K SUPPORT ENGINEER
    4 months ago

    /foo/bar/*/allowed should work as you expect, allowing allowed sub-resource but implicitly denying other sub-resources

1

Yes you can. See the second example here.

profile pictureAWS
EXPERT
Uri
answered 4 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content