Add Support for AuthorizationType to API

[jkahn117]

API Endpoints often require authorization permissions, e.g. only IAM users. Ideally, AWS::Serverless::Api would also support AuthorizationType available for API Gateway.

For example, using IAM user:

Events:
  Type: Api
  Properties:
    Path: /secrets
    Method: get
    AuthorizationType: AWS_IAM

Or a custom authorizer:

Events:
  Type: Api
  Properties:
    Path: /secrets
    Method: get
    AuthorizationType: CUSTOM
    Authorizer: <ARN_CUSTOM_AUTHORIZER>

Realize this may be challenging in referencing the custom authorizer function if not a function defined within the template though.

[collinforrester]

If I'm understanding you correctly, have you tried defining what you're trying to get in the console and exporting the swagger file? I've found that my SAM templates support Cognito Authorization definitions by exporting an existing API built in the console and just using it as a starting point.

[jkahn117]

Agreed, it is possible to make this work with a Swagger file, but that feels like an unnecessary step (export Swagger, modify, upload + manage separately) for something reasonably simple to configure as part of the API definition.

[sanathkr]

Thanks for the request. This is a good feature to have.

[mparaz]

It looks like using Swagger stopped working. This was previously working:

securityDefinitions:
  authorizerFunc:
    type: "apiKey"
    name: "Authorisation"
    in: "header"
    x-amazon-apigateway-authtype: "custom"
    x-amazon-apigateway-authorizer:
      authorizerUri: "arn:aws:apigateway:ap-southeast-2:lambda:path/2015-03-31/functions/arn:aws:lambda:ap-southeast-2:00000000:function:${stageVariables.AuthorizerFunctionName}/invocations"
      authorizerResultTtlInSeconds: 300
      type: "token"

But now I get:

Errors found during import: Unable to create authorizer 'authorizerFunc': Authorizers only support Lambda function invocations.

What is the correct syntax now?

[demurray]

@mparaz, try nesting the authorizerUri value under a Fn::Sub element, i.e.:

authorizerUri:
  Fn::Sub: "arn:aws:apigateway:ap-southeast-2:lambda:path/2015-03-31/functions/arn:aws:lambda:ap-southeast-2:00000000:function:${stageVariables.AuthorizerFunctionName}/invocations"

[lafiosca]

I don't think the Fn::Sub will help here. That looks to be an API Gateway stage variable rather than a CloudFormation variable.

[jaccus]

Fn::Sub together with ${stageVariables.MyVariableName}, where the variable is in the Variables section of the SAM template,

securityDefinitions:
          Authorizer:
            ...
            x-amazon-apigateway-authorizer:
              ...
              authorizerUri:
                Fn::Sub: "arn:aws:apigateway:<region>:lambda:path/2015-03-31/functions/arn:aws:lambda:<region>:<accid>:function:${stageVariables.MyVariableName}/invocations"
...
...
Variables:
        MyVariableName: !ImportValue MyImportedValue

does not seem to work for me in an inline swagger file and fails with the following error:
Status: FAILED. Reason: Template error: instance of Fn::Sub references invalid resource attribute stageVariables.MyVariableName.

Could someone confirm that this should work? Or maybe there is another way to access these variables with an inline swagger spec?

[sanathkr]

Its happening! #248