-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apigateway: Can't set default authorization scopes when adding a proxy to a resource #29781
Comments
I was not able to deploy this stack export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
// create a cognito user pool
const userPool = new cognito.UserPool(this, "UserPool", {
selfSignUpEnabled: true,
signInAliases: {
email: true,
},
});
const authorizer = new agw.CognitoUserPoolsAuthorizer(this, "Authorizer", {
cognitoUserPools: [userPool],
});
const api = new agw.RestApi(this, "Actions-ApiGateway", {
defaultCorsPreflightOptions: {
allowOrigins: agw.Cors.ALL_ORIGINS,
maxAge: Duration.days(10)
},
});
const root = api.root;
const sendResource = root.addResource(`InitiateAction`)
// prepare a dummy lambda function
const dummyhandler = getLambdaFunction(this);
const sendLambdaIntegration = new agw.LambdaIntegration(dummyhandler);
const sendProxy = sendResource.addProxy({
defaultIntegration: sendLambdaIntegration,
anyMethod: true,
defaultMethodOptions: {
authorizer: authorizer,
authorizationType: agw.AuthorizationType.COGNITO,
authorizationScopes: [`scope`],
},
defaultCorsPreflightOptions: {
allowOrigins: agw.Cors.ALL_ORIGINS,
allowMethods: agw.Cors.ALL_METHODS
}
})
}
} Error msg:
The synthesized template is having the resource which I believe is the root cause "ActionsApiGatewayInitiateActionproxyOPTIONS041B022A": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"ApiKeyRequired": false,
"AuthorizationScopes": [
"scope"
],
"AuthorizationType": "NONE",
"HttpMethod": "OPTIONS",
"Integration": {
"IntegrationResponses": [
{
"ResponseParameters": {
"method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'",
"method.response.header.Access-Control-Allow-Origin": "'*'",
"method.response.header.Access-Control-Allow-Methods": "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'",
"method.response.header.Access-Control-Max-Age": "'864000'"
},
"StatusCode": "204"
}
],
"RequestTemplates": {
"application/json": "{ statusCode: 200 }"
},
"Type": "MOCK"
},
"MethodResponses": [
{
"ResponseParameters": {
"method.response.header.Access-Control-Allow-Headers": true,
"method.response.header.Access-Control-Allow-Origin": true,
"method.response.header.Access-Control-Allow-Methods": true,
"method.response.header.Access-Control-Max-Age": true
},
"StatusCode": "204"
}
],
"ResourceId": {
"Ref": "ActionsApiGatewayInitiateActionproxyDD433460"
},
"RestApiId": {
"Ref": "ActionsApiGatewayF80386B7"
}
},
"Metadata": {
"aws:cdk:path": "dummy-stack/Actions-ApiGateway/Default/InitiateAction/{proxy+}/OPTIONS/Resource"
}
}, For some reasons, cdk is adding It's not easy to work it around. Making this a p1 bug. |
…ognito (#30035) ### Issue # (if applicable) Closes #29781 ### Reason for this change Authorization scope is set even when the auth type is None. This will cause deployment failure >12:52:11 PM | CREATE_FAILED | AWS::ApiGateway::Method | ActionsApiGatewayI...oxyOPTIONS041B022A Resource handler returned message: "Invalid Method authorization type specified. Authorization Scopes are only valid for COGNITO_USER_POOLS authorization type (Servic e: ApiGateway, Status Code: 400, Request ID: f9c6357b-428e-42a8-884c-07b77939d165)" (RequestToken: bb8de2e9-37b7-ca15-9bd8-547bc7eea134, HandlerErrorCode: InvalidRequ est) ### Description of changes Check when auth type is not Cognito, set auth scope to none. Not a breaking change because original templates cannot deploy. ### Description of how you validated changes All existing and new tests pass. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
The original PR to fix this issue caused a regression issue. We've now managed to roll-forward with a fix in |
Describe the bug
When trying to add a Proxy to a Resource, you can't set the default authorization scopes because it attempts to set the authorization scopes to the OPTIONS method despite the OPTIONS method intentionally not having any authorizer.
This works, and creates an InitiateAction resource with a proxy using the Cognito Authorizer as the authorizer. But if I uncomment the authorizationScopes line then it fails because it tries to assign the authorizationScopes to the OPTIONS method.
Expected Behavior
default authorization scopes are only applied to non-OPTIONS methods
Current Behavior
default authorization scopes are applied to all methods, including OPTIONS, which causing the deployment to fail.
Reproduction Steps
Possible Solution
The generated cloud formation template shouldn't attempt to apply authorization scopes to the OPTIONS method.
Additional Information/Context
No response
CDK CLI Version
2.134.0 (build 265d769)
Framework Version
No response
Node.js Version
v18.19
OS
Mac OS 13.5.2 (22G91)
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: