AWS Custom Authorizer with request parameters

603 views Asked by At

I'm building a rest API with serverless. I've built a custom authorizer to retrieve custom policies, everything was working fine until I've bump into retrieving policies with request parameters, example: base/As/{aId}/Bs/{bId}

Example of policies I'm retrieving right now:

{
"principalId": "some id",
"policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:{region}:{apiId}/{stage}/GET/As/*"
        }
    ]
}

so my issue is the above policy should only be to retrieve a specific "A", but when I want to call some "B" that only is accessible through a "A", I'll need to call a endpoint like base/As/{aId}/Bs/{bId}, with the above policy I'll have permission to access request this endpoint, when I shouldn't.

Is there a way to have request parameters in the resource in the policy?

1

There are 1 answers

0
jackko On BEST ANSWER

There isn't a way to put request parameters in the resource policy. I don't see how that could be secure. The policy should only be stating explicitly allowed actions on resources.

You may have to enumerate several resources in your policy (array is allowed).