-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[aws-apigateway] impossible to remove default method authorization #8827
Comments
It does seem like we don't handle the aws-cdk/packages/@aws-cdk/aws-apigateway/lib/method.ts Lines 182 to 186 in 31d6e65
|
I’ve also noticed a similar issue trying to set
I think || should be ??
|
IMHO it is not so simple, as we need to distinguish when Probably should be something like:
Only not sure what is current default for |
@erik-telesoftas Hey I’m not sure I follow, that’s what ?? does, right? |
@mattsenior absolutely right, probably fool moon on top of my JS syntax ignorance ;) |
Of possibly related trouble is the inability to instruct a particular method not to use an authorizer, once defaultMethodOptions is set @nija-at |
Hi @nija-at, will there be any progress on this issue soon? As a workaround one could write an aspect that removes the authorizer from certain methods. Not beautiful, but would work. const excludedMethodIds: Method[] = [];
const aspect: IAspect = {
visit(node: IConstruct): void {
if (
node instanceof CfnMethod
&& !excludedMethodIds.find((rid) => rid === node.resourceId)
) {
delete node.authorizerId;
node.authorizationType = AuthorizationType.NONE;
}
},
};
Aspects.of(myStack).add(aspect); |
This issue (the |
facing the same issue as well with IAM:
this is the part of code that does the check: and this is the test that covers it: I'm trying to understand the reason of enforcing all route to use the "default authorizer" while API Gateway does allow to have a route that uses Cognito and another one that uses IAM (eg. for internal services for example). I think the only check that makes sense to do is the one covered by this other test: |
Hello from 2023, I have the same problem :) |
@rix0rrr given this one is coming up on 3 years old it could probably use some eyeballs if just for confirmation. |
same |
RestApi has the ability to set the apiKeyRequired option for all methods via defaultMethodOptions. Setting this option on a method should override the value set in defaultMethodOptions, but it doesn't work. This commit fixes the behaviour and adds a test. Mentioned in aws#8827
@mattsenior @markcarroll submitted a PR for the apiKeyRequired here #25682.
|
RestApi has the ability to set the apiKeyRequired option for all methods via defaultMethodOptions. Setting this option on a method should override the value set in defaultMethodOptions, but it doesn't work. This commit fixes the behaviour and adds a test. Mentioned in #8827 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This didn't work for me. In the end, I had to set my API root's default authorization type to @nija-at: is there any plan to fix this? |
Hi @cupid-dev - I no longer work for the AWS CDK. Someone from the team will respond to you in due time. |
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
Any updates on this issue? |
As a workaround, you can use the CDK -> CloudFormation escape hatch. In Python, that looks like this: More details at #29658 |
+1 |
Doing this removes the authorizer for every route though. AWS CDK is the worst, very little documentation, very little support. This issue has been activer since July 2020???? |
### Issue # (if applicable) Closes #8827. ### Reason for this change Customers could not override the authorizer defined in the default method configuration if they want to set the authorization type to None. ### Description of changes If the customer set the authorization type to None while creating a new method, we will not use the authorizer value defined in the default configuration and instead we will set it to undefined. ### Description of how you validated changes added unit, and integration test cases. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
### Issue # (if applicable) Closes aws#8827. ### Reason for this change Customers could not override the authorizer defined in the default method configuration if they want to set the authorization type to None. ### Description of changes If the customer set the authorization type to None while creating a new method, we will not use the authorizer value defined in the default configuration and instead we will set it to undefined. ### Description of how you validated changes added unit, and integration test cases. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes aws#8827. ### Reason for this change Customers could not override the authorizer defined in the default method configuration if they want to set the authorization type to None. ### Description of changes If the customer set the authorization type to None while creating a new method, we will not use the authorizer value defined in the default configuration and instead we will set it to undefined. ### Description of how you validated changes added unit, and integration test cases. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
It seems not possible to remove authorization for API Gateway methods if it is defined in
defaultMethodOptions
onRestApi
level.Reproduction Steps
First I create RestApi Gateway (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html) with custom authorizer set by default for all methods:
And then in resources stack I try to create documentation Method (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.Method.html) with security disabled:
Error Log
Environment
Other
It is still possible to override these setting as described in #8615
and then stack is created with correct Method-level security settings.
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: