Question

我正在尝试通过AWS API Gateway的自定义授权程序授权API调用，
这基本上是一个自定义的lambda函数，它接受以下格式的以下标题 -

{
    "authorizationToken": "0c34ba00bde34200b383abe22bcfef96",
    "methodArn": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
    "type": "TOKEN"
}

并希望以下列格式进行回复 -

{
  "principalId": "xxxxxxx", // the principal user identification associated with the token send by the client
  "policyDocument": { // example policy shown below, but this value is any valid policy
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "execute-api:Invoke"
        ],
        "Resource": [
          "arn:aws:execute-api:us-east-1:xxxxxxxxxxxx:xxxxxxxx:/test/*/mydemoresource/*"
        ]
      }
    ]
  }
}

我可以使用authorizationToken执行内部逻辑，并验证函数是否应该响应＆＃34;允许＆＃34;或＆＃34;拒绝＆＃34;政策下，
但是当我尝试从控制台测试Authorizer时，我收到了解析错误以下是我的请求日志 -

Execution log for request test-request
Thu Jun 29 11:48:10 UTC 2017 : Starting authorizer: 1o3dvk for request: test-request
Thu Jun 29 11:48:10 UTC 2017 : Incoming identity: **************************cfef96
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request URI: https://lambda.ap-southeast-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:ap-southeast-1:855399270504:function:um_guestSessionAuthoriser/invocations
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request headers: {x-amzn-lambda-integration-tag=test-request, Authorization=*********************************************************************************************************************************************************************************************************************************************************************************************************************************************751e60, X-Amz-Date=20170629T114810Z, x-amzn-apigateway-api-id=z6t3cv0z4m, X-Amz-Source-Arn=arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/authorizers/1o3dvk, Accept=application/json, User-Agent=AmazonAPIGateway_z6t3cv0z4m, X-Amz-Security-Token=FQoDYXdzEHQaDOcIbaPscYGsl1wF4iLBAxzOTpZlR2r3AO3g96xwhRuQjEhU9OjOaRieBWQPeosNqv53aGKnBTT2CmkrVzHo3UqOdT1eakuS7tAXAbEcUIHVheWpBnvxqTkaPcknRL7QE79RSqVeryoXo2R1Kmk0Q9Iq+JGFlOJYQQJqvY/hcUg189xqbpTGrhZjcA+pjuSp+M9D97Kce0VP0e3peu/YvON0eGvUlj59MAJAwGVPIzplMKTDFrFg5NKEj79RSxNrNE8y4bAebOwlD8xLv649Zny7++xlMBBwHqMNHu3K9lFXSnKY9DHf6kvezZmpoFB2uu8WbrpInH0eQ/bIAd [TRUNCATED]
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request body after transformations: {"type":"TOKEN","methodArn":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","authorizationToken":"0c34ba00bde34200b383abe22bcfef96"}
Thu Jun 29 11:48:10 UTC 2017 : Sending request to https://lambda.ap-southeast-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:ap-southeast-1:855399270504:function:um_guestSessionAuthoriser/invocations
Thu Jun 29 11:48:21 UTC 2017 : Authorizer result body before parsing: {"principalId":"user","policyDocument":{"version":"2012-10-17","statement":[{"resource":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","action":"execute-api:Invoke","effect":"Allow"}]}}
Thu Jun 29 11:48:21 UTC 2017 : Execution failed due to configuration error: Could not parse policy: {"version":"2012-10-17","statement":[{"resource":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","action":"execute-api:Invoke","effect":"Allow"}]}
Thu Jun 29 11:48:21 UTC 2017 : AuthorizerConfigurationException

我在Lambda函数上使用Java，我使用PoJo类（setter-getter类）构建并返回策略
在美化了lambda响应后，我的策略如下所示 -

{
    "principalId": "user",
    "policyDocument": {
        "version": "2012-10-17",
        "statement": [{
            "resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
            "action": "execute-api:Invoke",
            "effect": "Allow"
        }]
    }
}

我想知道为什么它无法解析我的回复？ 根据建议，我试图将响应IAM政策大写，
我使用了@SerializedName导入的com.google.gson.annotations.SerializedName，并且能够获得以下输出 -

{
    "principalId": "user",
    "policyDocument": {
        "version": "2012-10-17",
        "statement": [{
            "effect": "Deny",
            "action": ["execute-api:Invoke"],
            "resource": ["arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/"]
        }]
    }
}

但看起来我的lambda响应和API网关之间发生了一些奇怪的事情这些变量在某处变得内部较低，
我仍然得到相同的解析错误，
是否可以接受其他格式的回复？弦也不起作用。

我还应该尝试什么？我的政策格式错了吗？ 我从这些网站获得了两种不同的政策格式 -
1. http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
2. https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/

Answer 1

您的政策属性需要适当的大写。而不是：

{
    "principalId": "user",
    "policyDocument": {
        "version": "2012-10-17",
        "statement": [{
            "resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
            "action": "execute-api:Invoke",
            "effect": "Allow"
        }]
    }
}

应该是：

{
    "principalId": "user",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [{
            "Resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
            "Action": "execute-api:Invoke",
            "Effect": "Allow"
        }]
    }
}

不妨使用＆＃34; PrincipalId＆＃34;保持一致。

Answer 2

克里斯，您的答案几乎是正确的。 Version，Statement，Resource，Action和Effect必须大写，但要注意policyDocument和principalId

正确的响应应如下所示：

{
  "principalId": "yourUserId",
  "policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "execute-api:Invoke",
        "Effect": "Allow",
        "Resource": "arn:aws:execute-api:eu-west-1:0123456878910:g3ttos57v5/live/PUT/your/resource/*"
      }
    ]
  }
}

AWS API网关自定义授权者lambda

2 个答案: