search

serverless / examples

Serverless Examples – A collection of boilerplates and examples of serverless architectures built with the Serverless Framework on AWS Lambda, Microsoft Azure, Google Cloud Functions, and more.
https://www.serverless.com/examples/
Other
11.45k stars 4.47k forks source link

Question: Is it possible to share an Authorizer or HTTP Api #484

Open VED-StuartMorris opened 4 years ago

VED-StuartMorris commented 4 years ago

I've seen multiple threads and discussion around splitting up services into their own serverless.yml file setups.

Including this example showing sharing an API Gateway. https://github.com/serverless/examples/tree/master/aws-node-shared-gateway

Is it possible to share an HTTP Api, instead of the RestApi in this example? I have a question on SO regarding splitting up a HTTP Api service using an authorizer which falls into the same question. https://stackoverflow.com/questions/60968313/sharing-an-authorizer-between-different-http-api-services-in-aws-with-serverless

I have seen various threads on Export/Fn:Import information, but I cannot see documentation on what should be exported and imported in the different services to get this working.

For example, if you Export an Authorizer/Cognito User Pool, what should value should you export and where/how do you Fn: Import that value in sub-services?

fernando-mc commented 4 years ago

The authorizer should be pretty easy to share in any service you need it in. You'd need the issuer URL and audience for the pool and you could probably export that from the creation of the resource in serverless.yml if you'd like but I'd suggest just creating the Cognito user pool and Cognito app client manually then setting the values as variables.

I believe the two values you need are:

1) The issuer url (aka the ProviderURL - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html) 2) The audience, which for Cognito is the app client id I believe.

You could use one of these options to do so: https://serverless.com/framework/docs/dashboard/parameters/ https://serverless.com/framework/docs/providers/aws/guide/variables/#reference-variables-using-the-ssm-parameter-store

Example of part of your serverless.yml:

Using Framework Pro parameters

authorizers:
      serviceAuthorizer:
        identitySource: $request.header.Authorization
        issuerUrl: ${params:MY_COGNITO_URL}
        audience: ${params:MY_COGNITO_CLIENT_ID}

Using SSM parameters

authorizers:
      serviceAuthorizer:
        identitySource: $request.header.Authorization
        issuerUrl: ${ssm:path/to/url/param}
        audience: ${ssm:path/to/audience/param}

As far as reusing the HTTP API, I'm not sure about that part. Can you elaborate more on what you're doing?