APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement missing Condition element

[hauntingEcho]

IAMPolicyStatement in APIGatewayCustomAuthorizerPolicy is missing the Condition element, as described in the IAM user guide.

[klaytaybai]

That it is. Thank you.

[github-actions[bot]]

We have noticed this issue has not received attention in 1 year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.

[hauntingEcho]

This is still an issue

[yofitec]

Still not there.

If you inherit from these classes and add the missing Condition in your new class, producing a valid policy document, does the Gateway simply accept a valid policy statements with Conditions ?

[ashishdhingra]

POCO update, should be a quick fix.

[ashishdhingra]

@hauntingEcho / @yofitec Good morning. I was revisiting this feature request. Although, the issue appears to refer to missing Condition element as described in IAM JSON policy elements: Statement, the Statement reference of IAM policies for executing API in API Gateway does not describe use of Condition element. The class APIGatewayCustomAuthorizerPolicy is used in APIGatewayCustomAuthorizerV2IamResponse and APIGatewayCustomAuthorizerResponse. None of the below reference links describe use of Condition element:

• Working with AWS Lambda authorizers for HTTP APIs
• Statement reference of IAM policies for executing API in API Gateway

So I'm unsure if the Condition element should be supported in APIGatewayCustomAuthorizerPolicy class. Refer the Go version (not maintained by AWS .NET SDK team) on the similar lines here.

Could you please share any reference you might have where it mentions that Condition element should be supported in the executing API in API Gateway?

Thanks, Ashish

[hauntingEcho]

Hi Ashish,

As this was at a previous job (and I am no longer using dotnet actively) I don't still have a whole lot of context for (or stake in) this issue anymore, but the main reasons would be:

• it refers to the statements as 'IAM policy' statements
• the documentation does link through to the IAM docs here, in the first line
• the statement reference which you linked claims to just be for the action & resource formats (in the intro paragraph)

If it is true that API Gateway doesn't respect all parts of a regular IAM policy statement, despite continually referring to them as IAM policy statements, I'd expect to see that called out in the documentation rather than just assumed by omission in the API Gateway section - so this could also be resolved by clarifying the docs if it's true that API Gateway does not support Condition

[ashishdhingra]

Opened internal ticket P136777466 with service team for clarification.

[ashishdhingra]

Changes released in Amazon.Lambda.APIGatewayEvents 2.7.1. Also update to Amazon.Lambda.Serialization.Json 2.2.2

[github-actions[bot]]

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.