TechQA.

AWS Custom Authorizer with request parameters

603 views Asked by At

I'm building a rest API with serverless. I've built a custom authorizer to retrieve custom policies, everything was working fine until I've bump into retrieving policies with request parameters, example: base/As/{aId}/Bs/{bId}

Example of policies I'm retrieving right now: 

{
"principalId": "some id",
"policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:{region}:{apiId}/{stage}/GET/As/*"
        }
    ]
}

so my issue is the above policy should only be to retrieve a specific "A", but when I want to call some "B" that only is accessible through a "A", I'll need to call a endpoint like base/As/{aId}/Bs/{bId}, with the above policy I'll have permission to access request this endpoint, when I shouldn't.

Is there a way to have request parameters in the resource in the policy?

amazon-web-services aws-lambda aws-api-gateway amazon-cognito serverless-framework
Original Q&A
1

There are 1 answers

0
jackko On BEST ANSWER

There isn't a way to put request parameters in the resource policy. I don't see how that could be secure. The policy should only be stating explicitly allowed actions on resources.

You may have to enumerate several resources in your policy (array is allowed).

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AWS-LAMBDA

Related Questions in AWS-API-GATEWAY

Related Questions in AMAZON-COGNITO

Related Questions in SERVERLESS-FRAMEWORK

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions