我正在尝试通过 AWS API Gateway 的自定义授权方授权 API 调用,
这基本上是一个自定义的 lambda 函数,它采用以下格式的以下标头-
{
"authorizationToken": "0c34ba00bde34200b383abe22bcfef96",
"methodArn": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
"type": "TOKEN"
}
并期望以下格式的响应 -
{
"principalId": "xxxxxxx", // the principal user identification associated with the token send by the client
"policyDocument": { // example policy shown below, but this value is any valid policy
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:xxxxxxxxxxxx:xxxxxxxx:/test/*/mydemoresource/*"
]
}
]
}
}
我能够使用 authorizationToken 执行内部逻辑并验证函数是否应该在"允许"或"拒绝"策略中响应,但是当我尝试从控制台测试授权方时出现解析错误,
以下是我的请求日志 -
Execution log for request test-request
Thu Jun 29 11:48:10 UTC 2017 : Starting authorizer: 1o3dvk for request: test-request
Thu Jun 29 11:48:10 UTC 2017 : Incoming identity: **************************cfef96
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request URI: https://lambda.ap-southeast-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:ap-southeast-1:855399270504:function:um_guestSessionAuthoriser/invocations
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request headers: {x-amzn-lambda-integration-tag=test-request, Authorization=*********************************************************************************************************************************************************************************************************************************************************************************************************************************************751e60, X-Amz-Date=20170629T114810Z, x-amzn-apigateway-api-id=z6t3cv0z4m, X-Amz-Source-Arn=arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/authorizers/1o3dvk, Accept=application/json, User-Agent=AmazonAPIGateway_z6t3cv0z4m, X-Amz-Security-Token=FQoDYXdzEHQaDOcIbaPscYGsl1wF4iLBAxzOTpZlR2r3AO3g96xwhRuQjEhU9OjOaRieBWQPeosNqv53aGKnBTT2CmkrVzHo3UqOdT1eakuS7tAXAbEcUIHVheWpBnvxqTkaPcknRL7QE79RSqVeryoXo2R1Kmk0Q9Iq+JGFlOJYQQJqvY/hcUg189xqbpTGrhZjcA+pjuSp+M9D97Kce0VP0e3peu/YvON0eGvUlj59MAJAwGVPIzplMKTDFrFg5NKEj79RSxNrNE8y4bAebOwlD8xLv649Zny7++xlMBBwHqMNHu3K9lFXSnKY9DHf6kvezZmpoFB2uu8WbrpInH0eQ/bIAd [TRUNCATED]
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request body after transformations: {"type":"TOKEN","methodArn":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","authorizationToken":"0c34ba00bde34200b383abe22bcfef96"}
Thu Jun 29 11:48:10 UTC 2017 : Sending request to https://lambda.ap-southeast-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:ap-southeast-1:855399270504:function:um_guestSessionAuthoriser/invocations
Thu Jun 29 11:48:21 UTC 2017 : Authorizer result body before parsing: {"principalId":"user","policyDocument":{"version":"2012-10-17","statement":[{"resource":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","action":"execute-api:Invoke","effect":"Allow"}]}}
Thu Jun 29 11:48:21 UTC 2017 : Execution failed due to configuration error: Could not parse policy: {"version":"2012-10-17","statement":[{"resource":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","action":"execute-api:Invoke","effect":"Allow"}]}
Thu Jun 29 11:48:21 UTC 2017 : AuthorizerConfigurationException
我在 Lambda 函数上使用 Java,我已经使用 PoJo 类(setter-getter 类(构建并返回了策略美化 lambda 响应后,
我的策略如下所示 -
{
"principalId": "user",
"policyDocument": {
"version": "2012-10-17",
"statement": [{
"resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
"action": "execute-api:Invoke",
"effect": "Allow"
}]
}
}
我想知道为什么它无法解析我的响应?
根据建议,我尝试将响应IAM策略
大写,我使用了com.google.gson.annotations.SerializedName导入@SerializedName,并且能够获得以下输出-
{
"principalId": "user",
"policyDocument": {
"version": "2012-10-17",
"statement": [{
"effect": "Deny",
"action": ["execute-api:Invoke"],
"resource": ["arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/"]
}]
}
}
但是看起来在我的lambda响应和API网关之间发生了一些奇怪的事情,
变量在某处内部小写,
而且我仍然得到同样的解析错误,
它会接受其他格式的响应吗?字符串也不起作用。
我还应该尝试什么?我的保单格式有误吗?
我从这些网站获得了两种不同的策略格式 -
1. http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
2. https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/
您的策略属性需要适当的大写。而不是:
{
"principalId": "user",
"policyDocument": {
"version": "2012-10-17",
"statement": [{
"resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
"action": "execute-api:Invoke",
"effect": "Allow"
}]
}
}
应该是:
{
"principalId": "user",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
"Action": "execute-api:Invoke",
"Effect": "Allow"
}]
}
}
不妨使用"PrincipalId"来保持一致。
克里斯,你的答案几乎是正确的。 Version、Statement、Resource、Action和Effect必须大写,但要注意policyDocument和principalId
正确的响应应如下所示:
{
"principalId": "yourUserId",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:eu-west-1:0123456878910:g3ttos57v5/live/PUT/your/resource/*"
}
]
}
}
我发现当 AWS 序列化授权方处理程序的返回值时,它不遵循 com.google.gson.annotations.SerializedName 标志来大写某些字段。他们可能使用的是与 gson 不同的序列化程序。
我解决它的方法是以正确的大写返回Map<String, Object>:
private Map<String, Object> formatAuthorizerResponse(AuthorizerResponseEvent response) {
String json = gson.toJson(response);
Type mapType = new TypeToken<Map<String, Object>>(){}.getType();
return new Gson().fromJson(json, mapType);
}