Questions tagged with Amazon API Gateway

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS CDK: What is the best way to implement multiple Stacks/NestedStacks & share resources?

I’m currently working on a serverless application developed using AWS CDK in TypeScript. Also as a convention, we follow the below rules too. 1. A stack should only have one table (dynamo) 2. A stack should only have one REST API (api-gateway) 3. A stack should not depend on any other stack (no cross-references), unless its the Event-Stack (a stack dedicated to managing EventBridge operations) The reason we are following these rules because then, each stack can be deployed independently without any interferences of other stacks. In a way, our stacks are equivalent to micro-services in a micro-service architecture. At the moment all the REST APIs are public and now we have decided to make them private by attaching custom Lambda authorizers to each API Gateway resource. Now, in this custom Lambda authorizer, we have to do certain operations (apart from token validation) in order to allow the user's request to proceed further. Those operations are, 1. Get the user’s role from DB using the user ID in the token 2. Get the user’s subscription plan (paid, free, etc.) from DB using the user ID in the token. 3. Get the user’s current payment status (due, no due, fully paid, etc.) from DB using the user ID in the token. 4. Get scopes allowed for this user based on 1. 2. And 3. 5. Check whether the user can access this scope (the resource user currently requesting) based on 4. This authorizer Lambda function needs to be used by all the other Stacks to make their APIs private. But the problem is roles, scopes, subscriptions, payments & user data are in different stacks in their dedicated DynamoDB tables. Because of the rules, I have explained before (especially rule number 3.) we cannot depend on the resources defined in other stacks. Hence we are unable to create the Authoriser we want. Solutions we could think of and their problems: * Since EventBridge isn't bi-directional we cannot use it to fetch data from a different stack resource. * We can [invoke][1] a Lambda in a different stack using its ARN and get the required data from its' response but, AWS has discouraged this as a CDK Anti Pattern * We cannot use technology like gRPC because it requires a continuously running server, which is out of the scope of the server-less architecture. There was also a proposal to re-design the CDK layout of our application. The main feature of this layout is going from non-crossed-references to adopting a fully-crossed-references pattern. (Inspired by layered architecture as described in this [AWS best practice][2]) Based on that article, we came up with a layout like this. - Presentation Layer - Stack for deploying the consumer web app - Stack for deploying admin portal web app - Application Layer - Stack for REST API definitions using API Gateway - Stack for Lambda functions running business-specific operations (Ex: CRUDs) - Stack for Lambda functions runs on event triggers - Stack for Authorisation (Custom Lambda authorizer(s)) - Stack for Authentication implementation (Cognito user pool and client) - Stack for Events (EvenBuses) - Stack for storage (S3) - Data Layer - Stack containing all the database definitions - There could be another stack for reporting, data engineering, etc. ![proposed CDK application architecture](/media/postImages/original/IMOEyqKAuSSF6q9gTvmXIhjw) As you can see, now stacks are going to have multiple dependencies with other stacks' resources (But no circular dependencies, as shown in the attached image). While this pattern unblocks us from writing an effective custom Lambda authorizer we are not sure whether this pattern won't be a problem in the long run, when the application's scope increases. I highly appreciate the help any one of you could give us to resolve this problem. Thanks! [1]: https://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html [2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html#organizingstacks [3]: https://i.stack.imgur.com/K4Po0.png
0
answers
1
votes
42
views
asked 2 months ago

IAM abac tag problems: User is not authorized to perform: execute-api:Invoke on resource

I'm trying to call an api-gateway endpoint from my web app but getting the error: ``` User: arn:aws:sts::<number>:assumed-role/my_identity_pool_auth_role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-west-2:********9277:<api-gateway id>/test/GET/theme ``` I have a user pool set up in which I've created two groups, one of which I'd like to give access to execute the endpoint mentioned above. The user pool group has an iam role attached with no permissions, but the following trust relationships: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "<identity pool id>" } } } ] } ``` and a tag with: ``` key: user_role value: end_user_basic ``` The identity pool auth role has permissions and trust relationship below: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cognito-identity:*", "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:eu-west-2:*:<api-gateway id>/*/GET/theme", "Condition": { "StringEquals": { "aws:PrincipalTag/user_role": "end_user_basic" } } } ] } ``` ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "<identity pool id>" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ``` In the identity pool settings, I have 'authenticated role selection' set to 'user default role' and 'attributes for access control' set to 'use custom mappings' with the below: ``` Tag key for principal: user_role Attribute name: user_role ``` And when I make the request, my id token has a payload something like below: ``` { "sub": ..., "cognito:groups": [ "<the correct cognito user group>" ], "iss": ..., "cognito:username": ..., "origin_jti": ..., "cognito:roles": [ "<the correct iam role with tag attached>" ], "aud": ..., "event_id": ..., "token_use": "id", "auth_time": ..., "exp": ..., "iat": ..., "jti": ..., "email": ... } ``` so the user belongs to the correct group with the correct iam role applied. I'm new to AWS so I'm sure i'm missing something daft but if somebody could point me in the right direction I'd be grateful. As an aside, if I remove the condition below: ``` "Condition": { "StringEquals": { "aws:PrincipalTag/user_role": "end_user_basic" } } ``` from the identity pool auth role, I can make the api call successfully
0
answers
0
votes
44
views
steve
asked 2 months ago
1
answers
0
votes
37
views
asked 2 months ago