search

goadesign / plugins

A collection of plugins for Goa.
https://goa.design
MIT License
68 stars 34 forks source link

Arnz - a plugin for Arn based authorization. #168

Closed bkeane closed 2 months ago

bkeane commented 3 months ago

Arnz

ArnZ is a DSL for authorizing methods based on AWS IAM caller ARNs.

Given

Your Goa application...

  1. is recieving traffic via an AWS API Gateway.
  2. is using the AWS_IAM authorizer.

You Can

Authenticate All Callers

When imported, all methods will require all callers to be IAM authenticated.

package design

import (
    . "goa.design/goa/v3/dsl"
    _ "goa.design/plugins/v3/arnz/dsl"
)

Authorize Callers by ARN

You can authorize callers by ARN using the AllowArnsMatching function, passing it a regular expression. 

Method("privileged", func() {
    AllowArnsMatching("^arn:aws:iam::123456789012:user/administrator$")
    Result(SecretStuff)
    HTTP(func() {
        Get("/secrets")
        Response(StatusOK)
    })
})

Allow Unsigned Requests

Allowing unsigned requests is useful for allowing traffic not originated from API gateway. 

Method("healthz", func() {
    AllowUnsignedCallers()
    Result(HealthCheck)
    HTTP(func() {
        GET("/healthz")
        Response(StatusOK)
    })
})

note: Allowing unsigned callers does not disable authentication or authorization for signed requests.

Further Reading