fix: allow setting InvokeRole to NONE or null (#986)

Author: keetonian

examples/2016-10-31/api_aws_iam_auth/template.yaml

@@ -8,7 +8,7 @@ Resources:
       StageName: Prod
       Auth:
         DefaultAuthorizer: AWS_IAM
-        InvokeRole: CALLER_CREDENTIALS
+        InvokeRole: CALLER_CREDENTIALS # default, can specify other role or NONE
 
   MyFunction:
     Type: AWS::Serverless::Function

samtranslator/swagger/swagger.py

@@ -169,10 +169,18 @@ def add_lambda_integration(self, path, method, integration_uri,
         api_auth_config = api_auth_config or {}
         if method_auth_config.get('Authorizer') == 'AWS_IAM' \
            or api_auth_config.get('DefaultAuthorizer') == 'AWS_IAM' and not method_auth_config:
-            self.paths[path][method][self._X_APIGW_INTEGRATION]['credentials'] = self._generate_integration_credentials(
-                method_invoke_role=method_auth_config.get('InvokeRole'),
-                api_invoke_role=api_auth_config.get('InvokeRole')
+            method_invoke_role = method_auth_config.get('InvokeRole')
+            if not method_invoke_role and 'InvokeRole' in method_auth_config:
+                method_invoke_role = 'NONE'
+            api_invoke_role = api_auth_config.get('InvokeRole')
+            if not api_invoke_role and 'InvokeRole' in api_auth_config:
+                api_invoke_role = 'NONE'
+            credentials = self._generate_integration_credentials(
+                method_invoke_role=method_invoke_role,
+                api_invoke_role=api_invoke_role
             )
+            if credentials and credentials != 'NONE':
+                self.paths[path][method][self._X_APIGW_INTEGRATION]['credentials'] = credentials
 
         # If 'responses' key is *not* present, add it with an empty dict as value
         path_dict[method].setdefault('responses', {})

tests/translator/input/api_with_aws_iam_auth_overrides.yaml

@@ -1,4 +1,11 @@
 Resources:
+  MyApiWithAwsIamAuthNoCallerCredentials:
+    Type: "AWS::Serverless::Api"
+    Properties:
+      StageName: Prod
+      Auth:
+        DefaultAuthorizer: AWS_IAM
+        InvokeRole: NONE
   MyApiWithAwsIamAuth:
     Type: "AWS::Serverless::Api"
     Properties:
@@ -84,3 +91,64 @@ Resources:
             Auth:
               Authorizer: AWS_IAM
               InvokeRole: arn:aws:iam::456::role/something-else
+  MyFunctionNONEInvokeRole:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://bucket/key
+      Handler: index.handler
+      Runtime: nodejs8.10
+      Events:
+        API3:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithAwsIamAuth
+            Method: get
+            Path: /MyFunctionNONEInvokeRole
+            Auth:
+              Authorizer: AWS_IAM
+              InvokeRole: NONE
+  MyFunctionNullInvokeRole:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://bucket/key
+      Handler: index.handler
+      Runtime: nodejs8.10
+      Events:
+        API3:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithAwsIamAuth
+            Method: get
+            Path: /MyFunctionNullInvokeRole
+            Auth:
+              Authorizer: AWS_IAM
+              InvokeRole: null
+  MyFunctionCallerCredentialsOverride:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://bucket/key
+      Handler: index.handler
+      Runtime: nodejs8.10
+      Events:
+        API3:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithAwsIamAuthNoCallerCredentials
+            Method: get
+            Path: /
+            Auth:
+              Authorizer: AWS_IAM
+              InvokeRole: CALLER_CREDENTIALS
+  MyFunctionNoCallerCredentials:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://bucket/key
+      Handler: index.handler
+      Runtime: nodejs8.10
+      Events:
+        API3:
+          Type: Api
+          Properties:
+            RestApiId: !Ref MyApiWithAwsIamAuthNoCallerCredentials
+            Method: post
+            Path: /