https://pulumi.com logo
Join Slack
Powered by
Hey everyone! I'm creating rest apis via `awsx` an...
# aws
f
Hey everyone! I'm creating rest apis via 
awsx
and have run into a major roadblock trying to enable IAM authorization on my methods. The documentation seems to have extensive support for token auth, lambda auth, and api key auth - however doesn't seem to have much detail in the way of IAM auth. After doing a lot of documentation and library digging, I've found that the 
AWS_IAM
string can be specified on the 
aws.apigateway.Method
resource, however when using 
awsx
a lot of this wiring and resource generation happens behind the scenes, so I'm unable to get the method (since I don't know the id and the resource isn't accounted for anywhere in the output or UI to my knowledge), and unable to create a new method since the path is already in use. Any help on the matter would be greatly appreciated!
So I've found that 
awsx.apigateway.API
generates a swagger string that contains all of the path information. Does anyone know if there's a way to write some additional data to this method before it sends off?
m
Copy code
restApiArgs?
there is also 
aws.apigateway.MethodSettings
example:
Copy code
const methodSettings = new aws.apigateway.MethodSettings(`${appName}-api-method-settings`, {
  methodPath: "*/*",
  restApi: app.restAPI.id,
  settings: {
    loggingLevel: "INFO",
    metricsEnabled: true,
  },
  stageName: app.stage.stageName,
}, {
  parent: app,
});
f
Looking through the 
restApiArgs
was the first thing I tried. There are inputs for 
apiKeySource
and 
policy
, however even when setting proper access controls for the 
policy
if the method doesn't have 
AWS_IAM
enabled, the route is inaccessible. 
apiKeySource
unfortunately doesn't handle anything IAM related. I thought the 
MethodSettings
might have something too, but after playing around with it and going through the documentation it looks like it handles things like logging and throttling rather than authorization. The flag is definitely on the 
Method
resource, however since 
awsx
creates a swagger json string to handle the api configuration, there aren't any accessible resources to fetch to my knowledge and patch it up in a round about fashion. The necessary addition would be in 
@pulumi/awsx/apigateway/api.js
. There's a 
createSwaggerSpec
function that pulls in all the parameters from 
awsx.apigateway.API
and transforms them into a swagger string. Specifically this function would need to set a 
"x-amazon-apigateway-auth"
attribute for each route. This attribute specifies the authentication type. Specify 
"NONE"
for open access. Specify 
"AWS_IAM"
to use IAM permissions I'd be happy to open a pull request to add this functionality. In the meantime is there anyway to extend this module to include this functionality? Sorry if that's sort of a dumb question.
m
Generally speaking yes… but in my [limited] experience, when I’ve hit a roadblock like this in crosswalk (
awsx
), I’ve had to move over to the 
aws
package
It sounds like you were going about the right path. Looking for the aws resources that it’s orchestrating, seeing if you can pass any parameters through crosswalk that will propagate down to the orchestrated resources, or see if you can do something with the returned AWS resource components that awsx created.
f
Yeah unfortunately awsx doesn't really create many aws resources, it just compiles everything into that swagger string. Got confirmation from the pulumi team that there's no way to enable IAM auth via awsx at the moment, although from my hours of debugging it seems like the fix is pretty straight forward. I'll probably put up a pull request in a bit. In the meantime I'll just clone the awsx.apigateway.API class and add the changes myself. Thanks for spitballing some idea with me.
👍 1
Open in Slack
PreviousNext
Powered by