search

alma-cdk / openapix

Combine the power of AWS CDK & OpenAPI YAML Schema Definitions
https://constructs.dev/packages/@alma-cdk/openapix/
93 stars 5 forks source link

[Feature Request] IAM Authorizer Support #22

Open automartin5000 opened 2 years ago

automartin5000 commented 2 years ago

Please support IAM auth: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-auth.html

automartin5000 commented 2 years ago

Sorry, looks like this is supported, just not documented? https://github.com/alma-cdk/openapix/blob/347ff3ae8f3b81645a923d2fcb4e2a72d682fe9a/src/x-amazon-apigateway/auth.ts

aripalo commented 2 years ago

Hi!

Yes, IAM Authentication (Signature v4 or SigV4 for short) is something we definitely want to support as we're using it internally as well.

The way we intent to support SigV4 is that you should define it mostly as part of the OpenAPI definition as that is also an API client concern:

components:
  securitySchemes:
    sigv4:
      type: "apiKey"
      name: "Authorization"
      in: "header"

But this still means there should be a way to inject the x-amazon-apigateway-authtype: "awsSigv4" field into the components.securitySchemes.sigv4 object.

Currently this could be solved by using injections.

Then once the Sigv4 security scheme has been defined, all the methods using it must have the security object in them:

security:
  - sigv4: []

And additionally as you pointed out the x-amazon-apigateway-auth object should be injected into the method. Unfortunately this has not yet been fully implemented.

Also the whole setup (as described above) with Sigv4 is a bit of an mess currently.

We'll need do plan/design it a bit more and implement it.

j-murata commented 1 year ago

Currently this could be solved by using injections.

Your comment and this article helped me to confirm that IAM authentication can be set up with the following implementation. I hope this information will be of help to this lib authors and/or those who wish to have this feature.

import type { Paths } from '@alma-cdk/openapix';
import { Api, LambdaIntegration } from '@alma-cdk/openapix';

const paths = {
    '/some/api/path1': {
        get: new LambdaIntegration(stack, lambdaGetFunc1),
        post: new LambdaIntegration(stack, lambdaPostFunc1),
    },
    '/some/api/path2': {
        delete: new LambdaIntegration(stack, lambdaDeleteFunc2),
        get: new LambdaIntegration(stack, lambdaGetFunc2),
        put: new LambdaIntegration(stack, lambdaPutFunc2),        
    },
    ...
} satisfies Paths;

const api = new Api(stack, `${stack.stackName}-API`, {
    source: '/path/to/schema.yml',
    injections: {
        'components.securitySchemes.sigv4': {
            in: 'header',
            name: 'Authorization',
            type: 'apiKey',
            'x-amazon-apigateway-authtype': 'awsSigv4',
        },
        ...Object.entries(paths).reduce((obj, [path, integrations]) => {
            for (const method of Object.keys(integrations)) {
                obj[`paths.${path}.${method}.security[0].sigv4`] = [];
            }
            return obj;
        }, {} as Record<string, object>),
    },
    restApiProps: {
        ...
    },
}