I'm building a rest API with serverless. I've built a custom authorizer to retrieve custom policies, everything was working fine until I've bump into retrieving policies with request parameters, example: base/As/{aId}/Bs/{bId}
Example of policies I'm retrieving right now:
{
"principalId": "some id",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:{region}:{apiId}/{stage}/GET/As/*"
}
]
}
so my issue is the above policy should only be to retrieve a specific "A", but when I want to call some "B" that only is accessible through a "A", I'll need to call a endpoint like base/As/{aId}/Bs/{bId}, with the above policy I'll have permission to access request this endpoint, when I shouldn't.
Is there a way to have request parameters in the resource in the policy?
There isn't a way to put request parameters in the resource policy. I don't see how that could be secure. The policy should only be stating explicitly allowed actions on resources.
You may have to enumerate several resources in your policy (array is allowed).