RustyShackleford
Reputation: 27378
Lambda Authorizer not respecting Resource
I'm generating the following policy which gets cached:
{
'principalId': '[email protected]',
'policyDocument': {
'Version': '2012-10-17',
'Statement': [{
'Action': 'execute-api:*',
'Effect': 'Deny',
'Resource': 'arn:aws:execute-api:us-east-1:12345:hahd712723/active/GET/v1/AccountA'
}]
}
}
I then make a request to arn:aws:execute-api:us-east-1:12345:hahd712723/active/GET/v1/AccountB'
which should generate:
{
'principalId': '[email protected]',
'policyDocument': {
'Version': '2012-10-17',
'Statement': [{
'Action': 'execute-api:*',
'Effect': 'Allow',
'Resource': 'arn:aws:execute-api:us-east-1:12345:hahd712723/active/GET/v1/AccountB'
}]
}
}
but instead of a new cache set, I get the deny policy incorrectly.
Seems like the principal Id is the only thing looked at and resource is not respected.
Upvotes: 0
Views: 109
Answers (1)
cementblocks
Reputation: 4616
The policy is cached based on the header you select/API key, not based on the header and resource. The policy should be constructed for all resources, not just the resource being requested.
Upvotes: 2
Related Questions
- AWS API Gateway Custom Authorizer not invoked
- custom authorizers in Amazon API Gateway 500 error
- Custom Authorizer returns 403 but not calling lambda
- How to return 401 ("Unauthorized") from AWS Lambda Authorizer
- Using AWS Lambda Authorizer in API Gateway
- Custom request-based lambda authorizer for AWS API Gateway is not triggered for API innovations
- AWS API Gateway Custom Authorizer not running
- AWS API Gateway Custom Authorizer lambda is not triggering
- lambda authorizer is not invoked
- API Gateway custom authorizer