gpt4 book ai didi

How to exempt certain resource from custom authorization in AWS API Gateway ?(如何在AWS API Gateway中免除某些资源的自定义授权?)

转载 作者:bug小助手 更新时间:2023-10-28 11:43:31 33 4
gpt4 key购买 nike



I have configured custom authorization in API gateway for a proxy resource but my requirement is to exempt few APIs from authorization, but I don't want to configure a new API in API gateway because I'm trying to design a proxy through API gateway.

我已经在API网关中为代理资源配置了自定义授权,但我的要求是免除少数API的授权,但我不想在API网关中配置新的API,因为我正在尝试通过API网关设计代理。



For Example, the API /server/ver1.0/rest/{proxy+}, this is my REST API configured in API gateway which goes through custom authorizer and then if it's successful then it invokes backend http service.

例如接口/服务器/ver1.0/rest/{Proxy+},这是我在API网关中配置的REST API,通过自定义授权器,如果成功,则调用后端http服务。



But I would like to exempt the API - /server/ver1.0/rest/acc/reg from authorization.

但我希望免除API-/服务器/ver1.0/rest/acc/reg的授权。


更多回答
优秀答案推荐

Not sure if this directly answers the OP since we do not proxy our requests to a backend API but use Lambda for all API calls, but we still need to authorize only part of our API. This is how we've done it:

不确定这是否直接响应OP,因为我们不将请求代理到后端API,而是对所有API调用使用Lambda,但我们仍然只需要授权我们的API的一部分。我们是这样做的:


We have an API deployed with SAM and in this project we use a custom Authorizer for most of the api.

我们有一个与SAM部署的API,在这个项目中,我们使用一个定制的授权程序的大部分API。


MonitorApi:
Type: AWS::Serverless::Api
Properties:
Cors:
AllowMethods: "'OPTIONS,POST,GET,PATCH,DELETE'"
AllowHeaders: "'*'"
AllowOrigin: "'*'"
StageName: !Ref AppStage
GatewayResponses:
DEFAULT_4xx:
ResponseParameters:
Headers:
Access-Control-Expose-Headers: "'*'"
Access-Control-Allow-Headers: "'*'"
Access-Control-Allow-Origin: "'*'"
Auth:
DefaultAuthorizer: LambdaTokenAuthorizer # This authorizer is used on the API
AddDefaultAuthorizerToCorsPreflight: false
Authorizers:
LambdaTokenAuthorizer:
FunctionArn: !GetAtt AuthorizeFunction.Arn
Identity:
Header: Authorization
ReauthorizeEvery: 300

For some resources that we need to make publicly available we override this on the function level, like this:

对于我们需要公开使用的一些资源,我们在函数级别覆盖它,如下所示:


  SystempingFunction: # Systemping service in API
Type: AWS::Serverless::Function
Properties:
CodeUri: monitor/
Handler: systemping.handler
Runtime: nodejs12.x
Timeout: 20
Events:
SystempingEvent:
Type: Api
Properties:
Auth:
Authorizer: NONE # Turn off Authorization for this function
Path: /systemping
Method: get
RestApiId: !Ref MonitorApi


Finally, I have solved the issue the same way I described in my question,

最后,我已经解决了这个问题,就像我在问题中描述的那样,



As there is no way that AWS gives any programmatic way to omit a specific condition, we are left with below options :

由于AWS不可能提供任何编程方法来省略特定条件,因此我们只剩下以下选项:




  1. Create a separate API - In this way, AWS would give a preference
    to more specific API than a generic one i.e. API
    /server/ver1.0/rest/acc/reg would be given a preference to
    /server/ver1.0/rest/{proxy+} 2)


  2. Modify custom authorizer lambda
    function to check each and every URL pattern, but this makes lambda
    custom auth much complex and less maintainable.




I have adopted the first option as its more cleaner and easier to maintain, moreover I didn't want to pollute my lambda custom authorizer with various URL patterns

我采用了第一种方法,因为它更干净、更容易维护,而且我不想用各种URL模式污染我的lambda定制授权器



Assuming the custom authorizer is a lambda function, implying that your API Gateway is a proxy integration with Lambda - you could do it in the lambda function.

假设定制授权器是一个lambda函数,这意味着您的API Gateway是与lambda的代理集成--您可以在lambda函数中执行此操作。



Depending on the resource you are requesting, eg :
/acc/reg - you can detect this in the lambda function and bypass authentication.
For all other resources you can go through the custom authorization process.

根据您请求的资源,例如:/acc/reg-您可以在lambda函数中检测到这一点并绕过身份验证。对于所有其他资源,您可以完成自定义授权过程。



You could define variables to store your secure vs insecure resources, match those against the request

您可以定义变量来存储您的安全资源和不安全资源,将它们与请求进行匹配



var insecureApis = '/hello,/acc/reg';
var secureApis = '/account/me';

var path = event.path;

if(secureApis.includes(path)){
//perform custom auth and proxy request
} else {
// just proxy
}


My use case is a little bit different, I'm using SAM and my Gateway is a HttpApi but I think it can apply to this scenario also.... so here's the entry you need to disable Auth on a specific API endpoint in your template:

我的用例有点不同,我使用的是SAM,我的Gateway是一个HttpApi,但我认为它也适用于这个场景……因此,以下是在模板中的特定API端点上禁用身份验证所需的条目:


  yourFunctionName:
Type: AWS::Serverless::Function
Properties:
Handler: src/handlers/mycode.handler
Description: Get some data
FunctionName: getData
Events:
Api:
Type: HttpApi
Properties:
ApiId: yourHttpApiGatewayRefHere
Path: /data
Method: GET
Auth:
Authorizer: NONE

The important section is

重要的部分是



Auth: Authorizer: NONE



更多回答

Thanks mailtobash, currently I have used a separate API in api-gateway and disabled the authorizer in method request configuration but the ideal solution would be to disable the custom authorizer at run-time for specific Url, but it seems the AWS api-gateway doesn't support it as of now.

感谢mailtoabash,目前我在api-ateway中使用了一个单独的API,并在方法请求配置中禁用了授权器,但理想的解决方案是在运行时禁用特定URL的自定义授权器,但AWS API-Gateway目前似乎不支持它。

Have you found any other solution than creating a separate API? Now it's 2019 and maybe there is some new feature around there...

除了创建单独的API之外,您还找到了其他解决方案吗?现在是2019年,可能会有一些新的功能…

@Franco, token-based-authorizer lambda is still the approach that's valid, it's quite flexible. There is also IAM based Authorization approach where only users with certain IAM roles can invoke API gateway.

@Franco,基于令牌的授权器lambda仍然是有效的方法,它非常灵活。还有一种基于IAM的授权方法,其中只有具有特定IAM角色的用户才能调用API网关。

33 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com