confused about apigateway authorization

[autohandle]

i created a template using helloworld & i created 2 functions:

get /auth
get /noauth

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  AuthNoauth

  Sample SAM Template for AuthNoauth


Globals:
  Function:
    Timeout: 20

Resources:
  HelloAuthWorldFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: hello_world/
      Handler: app.lambda_handler
      Runtime: python3.8
      Events:
        HelloWorld:
          Type: Api 
          Properties:
            RestApiId: !Ref TheApiGateway
            Path: /auth
            Method: get
            Auth:
              Authorizer: CustomAuthorizer
  HelloNoAuthWorldFunction:
    Type: AWS::Serverless::Function 
    Properties:
      CodeUri: hello_world/
      Handler: app.lambda_handler
      Runtime: python3.8
      Events:
        HelloWorld:
          Type: Api
          Properties:
            RestApiId: !Ref TheApiGateway
            Path: /noauth
            Method: get

i made an api gateway with a custom authorizer:

TheApiGateway:
    Type: 'AWS::Serverless::Api'
    Properties:
      StageName: Prod
      Auth:
#        DefaultAuthorizer: CustomAuthorizer
        Authorizers:
          CustomAuthorizer:
            FunctionArn: !GetAtt AuthFunction.Arn
AuthFunction:
  Type: AWS::Serverless::Function
  Properties:
    CodeUri: hello_world/
    Handler: app.lambda_handler
    Runtime: python3.8

this worked and i can see the authorizer on the Amazon API Gateway screen

then i added a DefinitionBody to the api gateway:

  TheApiGateway:
    Type: 'AWS::Serverless::Api'
    Properties:
      StageName: Prod
      Auth:
#        DefaultAuthorizer: CustomAuthorizer
        Authorizers:
          CustomAuthorizer:
            FunctionArn: !GetAtt AuthFunction.Arn
      DefinitionBody:
        Fn::Transform:
          Name: AWS::Include
          Parameters:
            Location: openapi.yaml

and created an openapi for the endpoints

openapi: "3.0.2"
info:
  title: AuthNoAuth API
  version: "1.0"

paths:
  /auth:
    get:
      security:
        - ApiKeyAuth: []
      responses:
        '200':
          description: OK
      x-amazon-apigateway-integration:
        uri:
          Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${HelloAuthWorldFunction.Arn}/invocations
        responses:
          default:
            statusCode: "200"
        passthroughBehavior: "when_no_match"
        httpMethod: "POST"
        contentHandling: "CONVERT_TO_TEXT"
        type: "aws_proxy"
  /noauth:
    get:
      responses:
        '200':
          description: OK
      x-amazon-apigateway-integration:
        uri:
          Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${HelloNoAuthWorldFunction.Arn}/invocations
        responses:
          default:
            statusCode: "200"
        passthroughBehavior: "when_no_match"
        httpMethod: "POST"
        contentHandling: "CONVERT_TO_TEXT"
        type: "aws_proxy"

components:
  securitySchemes:
    ApiKeyAuth:
      name: Authorization
      type: apiKey
      in: header
      "x-amazon-apigateway-authtype": "CUSTOM"
      "x-amazon-apigateway-authorizer":
        "authorizerUri":
          Fn::Sub: "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${AuthFunction.Arn}/invocations"
        "authorizerResultTtlInSeconds": 300
        "type": "token"

but, when i (re)visit the api gateway console, the authorizer is gone:

actually, it seems to be controlled by the DefaultAuthorizer in the 'AWS::Serverless::Api', if the default is on, they both have an authorizer and if it is commented out, neither does.

[autohandle]

[autohandle]

ok, i got it

  TheApiGateway:
    Type: 'AWS::Serverless::Api'
    Properties:
      StageName: Prod
      Auth:
#        DefaultAuthorizer: CustomAuthorizer
        Authorizers:
          CustomAuthorizer:
            FunctionArn: !GetAtt AuthFunction.Arn
      DefinitionBody:
        Fn::Transform:
          Name: AWS::Include
          Parameters:
            Location: openapi.yaml

the “Authorizers:” name (CustomAuthorizer) in the template for AWS::Serverless::Api has to match the authorizer name in the openapi spec for the path:

paths:
  /auth:
    get:
      security:
        - CustomAuthorizer: []

and in the openapi spec securitySchemes:

components:
  securitySchemes:
    CustomAuthorizer:
      name: Authorization
      type: apiKey
      in: header
      "x-amazon-apigateway-authtype": "CUSTOM"
      "x-amazon-apigateway-authorizer":
        "authorizerUri":
          Fn::Sub: "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${AuthFunction.Arn}/invocations"
        "authorizerResultTtlInSeconds": 300
        "type": "token"

[autohandle]

so, that still leaves me with one question: why does DefaultAuthorizer seem to override everything?

[autohandle]

and is there some clever way to copy the name that needs to be repeated from the sam template into the openapi spec?

[autohandle]

ok, so i think i figured out the DefaultAuthorizer. if it is used in the template for the api gateway:

TheApiGateway:
  Type: 'AWS::Serverless::Api'
  Properties:
    StageName: Prod
    Auth:
      DefaultAuthorizer: CustomAuthorizer
      Authorizers:
        CustomAuthorizer:
          FunctionArn: !GetAtt AuthFunction.Arn
    DefinitionBody:
      Fn::Transform:
        Name: AWS::Include
        Parameters:
          Location: openapi.yaml

then, for noauth endpoints, in BOTH the template

HelloNoAuthWorldFunction:
  Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
  Properties:
    CodeUri: hello_world/
    Handler: app.lambda_handler
    Runtime: python3.8
    Events:
      HelloWorld:
        Type: Api
        Properties:
          RestApiId: !Ref TheApiGateway
          Path: /noauth
          Method: get
          Auth:
            Authorizer: NONE

and the openapi, the security must be NONE

/noauth:
  get:
    security:
      - NONE: [ ]
    responses:
      '200':
        description: OK
    x-amazon-apigateway-integration:
      uri:
        Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${HelloNoAuthWorldFunction.Arn}/invocations
      responses:
        default:
          statusCode: "200"
      passthroughBehavior: "when_no_match"
      httpMethod: "POST"
      contentHandling: "CONVERT_TO_TEXT"
      type: "aws_proxy"

[autohandle]

so, i still have a problem, https://editor.swagger.io/ gives this openapi a syntax error:

/noauth:
  get:
    security:
      - NONE: [ ]

but, it likes this syntax:

/noauth:
  get:
    security:[ ]

however, with the 2nd syntax & a DefaultAuthorizer in the template, every endpoint gets the default Authorizer

[pflorek]

@autohandle Thank you! Your findings helped a lot 🚀

[thomasklinger1234]

@autohandle Thank you! You saved @pflorek and me a lot of debugging and googling ❤️

[AljoschaDembowsky2909]

@autohandle Thank you! You made our day 🔥

[GavinZZ]

Hi thanks for the deep dive. We have recently also noticed that there's a bug when users are using AWS::Serverless::Function's Api event source along with an explicitly defined AWS::Serverless::Api with DefinitionBody property. When the above condition is met, it would ignore the Authorizer, ApiKeyRequired, UsagePlan property defined in the SAM Function event source Auth property.

We've introduced a fix to this problem by specifying OverrideApiAuth. See example:

MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      ......
      Events:
        MyApiEvent:
          Type: Api
          Properties:
            RestApiId:
              Ref: MyApi
            Method: get
            Auth:
              Authorizer: NONE
              OverrideApiAuth: true  # this is the new property