search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 820 forks source link

Cognito Auth role has incorrect ARNs for REST APIs #1679

Closed anatonie closed 5 years ago

anatonie commented 5 years ago

Note: If your issue/bug is regarding the AWS Amplify Console service, please log it in the official AWS Amplify Console forum

Describe the bug I have an API in my project that permits authenticated traffic only. The Auth role for my Cognito user pool (created by Amplify CLI) has improperly formatted ARNs This results in being unable to call the API successfully, calls are met with 403s from the API

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/POST//*",
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/POST/",
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/GET//*",
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/GET/",
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/PUT//*",
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/PUT/",
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/PATCH//*",
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/PATCH/",
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/DELETE//*",
                "arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/DELETE/"
            ],
            "Effect": "Allow"
        }
    ]
}

To Reproduce Steps to reproduce the behavior:

  1. Add auth
  2. Add REST API with restricted access
  3. Call API
  4. See 403 response

Expected behavior Calls to the API should succeed

Additional context CLI version 1.7.3

UnleashedMind commented 5 years ago

Hi @anatonie

When the Rest API is being added to your project, you need to provide answers to a series of prompted questions, one of them is Provide a path (e.g., /items), if you take the default value, it'll be /items, and the Resource in the policy statement will contain it, like this:

arn:aws:execute-api:us-west-2:239336166108:{APIID}/prod/POST/items/*

I was not able to reproduce the issue you reported using the default answers. Did you manually modify anything before you execute amplify push?

anatonie commented 5 years ago

You are correct, I forgot I modified the path. I modified the path from '/api' that I chose during setup to '/', so no bug here.

However I did this because using multiple lambdas for different paths is overkill, and the express function can handle multiple paths. Using a separate function could increase wait times due to cold starts.

Is there a reason for this limitation? API Gateway/Lambda support using a single lambda for all paths.

kaustavghosh06 commented 5 years ago

@anatonie Why would you use a separate lambda function for another path? You could just use amplify update api and add an additional path to an exisiting REST API in your project and then use the lambda function which is behind that REST API endpoint. This seems to be a different question/query than the original issue. Could you please open another issue for this if you're still having more questions?

github-actions[bot] commented 3 years ago

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.