Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS API Gateway custom Authorizer strange showing error

Tags:

aws-api-gateway

custom-authentication

Here is the context:

  • I set up a resource in the API gateway. /user/company
  • This resource have 2 methods. Get and POST.
  • I have configured a custom Authorizer for this resource.

The problem:

  • I can call the GET method by sending right authorization information and I get the results as expected.
  • I try to send a POST request and I get the following error:

{    "message": "User is not authorized to access this resource"  }
  • If I wait for few minutes, then call the POST method, it will work.
  • If after calling the POST method and getting the results I call GET method, it will show the same error as mentioned above.

In addition, I have disabled cache for the authorizer.

enter image description here

What might have caused this issue?

like image 536
Arman Fatahi Avatar asked May 14 '18 13:05

Arman Fatahi

People also ask

How do I test API gateway authorizer?

For the REQUEST authorizer, type the valid request parameters corresponding to the specified identity sources and then choose Test. In addition to using the API Gateway console, you can use AWS CLI or an AWS SDK for API Gateway to test invoking an authorizer. To do so using the AWS CLI, see test-invoke-authorizer.

What should be returned from an API gateway authorizer?

The returned values are all stringified. Notice that you cannot set a JSON object or array as a valid value of any key in the context map. You can use the context map to return cached credentials from the authorizer to the backend, using an integration request mapping template.

Is not authorized to perform Apigateway get?

I am not authorized to perform an action in API Gateway If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password.

2 Answers

This could be fixed in two ways that are described in buggy's answer: https://forum.serverless.com/t/rest-api-with-custom-authorizer-how-are-you-dealing-with-authorization-and-policy-cache/3310

Short version:

  1. Set TTL for customer authorizer to 0
  2. Set custom authorizer policy resource as "*"

I've tried each solution and they both solved the issue with "User is not authorized to access this resource" for me.

like image 198
Orest Avatar answered Oct 18 '22 17:10

Orest

This error will occur if you use event.methodArn as a resource for generated policy and share an authorizer between different functions, because of how policy caching works. For provided token it caches a policy across an entire API, it will be the same cache entry for all methods and resources within the same API and stage (if they share the same authorizer).

For example, when making a request to GET /users, ARN will look something like this:

arn:aws:execute-api:us-1:abc:123/prod/GET/users

Next call to any endpoint with the same authentication token will use a cached policy, which was created on the first call to GET /users. The problem with that cached policy is that it's resource only allows a single particular resource arn: ... /prod/GET/users, any other resource will be rejected.

Depending on how much do you want to limit policy permissions, you can either mention every possible resource when creating a policy

{   "principalId": "user",   "policyDocument": {     "Statement": [       {         "Action": "execute-api:Invoke",         "Effect": "Allow",         "Resource": [           "arn:aws:execute-api:us-1:abc:123/prod/GET/v1/users",           "arn:aws:execute-api:us-1:abc:123/prod/POST/v1/users",           "arn:aws:execute-api:us-1:abc:123/prod/GET/v1/orders"         ]       }     ],     "Version": "2012-10-17"   } }

or use wildcards

"Resource": "arn:aws:execute-api:us-1:abc:123/prod/*/v?/*"

or even

"Resource": "*"

You can use policy variables for some advanced templates.

It is also possible to use a blacklist approach by allowing everything using wildcards and then denying specific resources in another policy statement.

Sources:

  • AWS forums: API Gateway issue about custom authorizers
  • AWS docs: IAM Policy resource field
like image 36
Michael Radionov Avatar answered Oct 18 '22 15:10

Michael Radionov
Sign in to Comment

Related questions

How to add a custom domain for a serverless-1.0.0 framework defined/deployed API?
AWS API Gateway: Pass through all parameters
aws apigateway import-rest-api returns "Invalid base64" error
Request validation using serverless framework
Configure CORS response headers on AWS Lambda?
Serverless Configuration warning at 'functions.app.events[0]': unsupported function event
AWS Lambda to run in background even after sending response to API Gateway
Api gateway get output results from step function?
AWS Can not deserialize instance of java.lang.String out of START_OBJECT
AWS API Gateway : Execution failed due to configuration error: No match for output mapping and no default output mapping configured
AWS API Gateway - using Access Token with Cognito User Pool authorizer?
How to throw custom error message from API Gateway custom authorizer
How do I pass arguments to AWS Lambda functions using GET requests?
Get detailed error messages from AWS API Gateway Request Validator
Enable CORS for API Gateway in Cloudformation template
Unable to resolve " not a valid key=value pair (missing equal-sign) in Authorization header" when POSTing to api gateway
Making calls to AWS api gateway endpoint with api key using rest client POSTMAN
AWS API Gateway: limit requests from a single IP
How to rename an AWS API Gateway API instance?
Amazon API Gateway in front of ELB and ECS Cluster

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!