AWS_IAM auth does not allow InvokeRole override

[theburningmonk]

Description:

When using the new AWS_IAM auth type, the InvokeRole is always set to CALLER_CREDENTIALS even when I specify an override. The problem here is that, it forces the caller to have both API Gateway's invoke permission as well as lambda:InvokeFunction permission. This breaks the API abstraction and leaks implementation details (that there's a Lambda behind API Gateway, and the name of the function).

Steps to reproduce the issue:

1. create API with auth type set to AWS_IAM and set InvokeRole to null

Observed result:

API endpoints still uses CALLER_CREDENTIALS

Expected result:

• Execution role to be `null
• Invoke with caller credentials to be disabled

[theburningmonk]

For now, our workaround is to have a custom macro that is triggered after the initial SAM macro and strips the credentials field.

[tavolate]

We have the same issue

[keetonian]

It looks like we're forcing InvokeRole to be non-null here: https://github.com/awslabs/serverless-application-model/blob/develop/samtranslator/swagger/swagger.py#L192

A simple fix for this would be to allow null or blank values and add a test that enforces this behavior.

[jadhavmanoj]

@keetonian if InvokeRole in None. should we remove credentials key from template?

[keetonian]

That's a good question. @brettstack might know, otherwise I'll investigate more and see what SAM should do in this case.

[brettstack]

@jadhavmanoj that's correct.

[benkehoe]

Is the plan to change the default to not use caller credentials? I am in favor of such a plan. Using caller credentials isn't the default in API Gateway, so I would consider it unexpected behavior for SAM to change that.

[brettstack]

Unfortunately that ship has sailed. Changing default behavior would be a breaking change. The plan is to add InvokeRole: null (or 'NONE') as originally intended.

[benkehoe]

Perhaps an additional auth type is warranted, then? AWS_IAM_v2? Requiring this opaque incantation everywhere to get the normal behavior of API Gateway, and that forgetting it will cause IAM failures that are already hard to understand, is going to trip up so many people.

[keetonian]

@benkehoe I submitted a PR for this issue following what was discussed. If AWS_IAM is set as a default authorizer and InvokeRole: null or InvokeRole: NONE is set, it will remove the credentials section of the output template. Do you think that will be sufficient?

[benkehoe]

It makes the desired behavior possible, sure. But it's also setting us up for a lot of new users asking about IAM errors they don't understand and getting told to use this trick, and then copy-and-pasting that for the rest of their days without understanding it. This goes against the mission of SAM, which is to make CloudFormation simpler and more understandable, with better defaults.

If I'm missing something, if there's a reason users should want to use caller credentials from API GW to Lambda by default, or why we should guide them in that direction with this default, I'm all ears.