Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(apigatewayv2): WebSocket API - IAM authorizer support #21393

Merged
merged 10 commits into from
Aug 4, 2022
Merged

feat(apigatewayv2): WebSocket API - IAM authorizer support #21393

merged 10 commits into from
Aug 4, 2022

Conversation

d0z0
Copy link
Contributor

@d0z0 d0z0 commented Jul 30, 2022
edited
Loading

This adds support for AWS_IAM as Authorizer for Websocket $connect route.

The CDK supports adding IAM Authorizer as authorizationType for HttpApi, but does not support it for WebSocketApi L2 construct

IAM Authorization is covered in the docs here.

It works the same way as REST or HTTP API's where you can make an endpoint (connect route for websocket) publicly inaccessible, and setup an IAM user, and allow access using signed URL's

The above doc links back to this section which explains the AWS_IAM

This is also available from the AWS console for Websocket connect Route:

Screenshot 2022-07-30 at 17 47 51

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Jul 30, 2022

@github-actions github-actions bot added the p2 label Jul 30, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team July 30, 2022 16:46
@d0z0 d0z0 marked this pull request as draft July 31, 2022 09:34
@d0z0 d0z0 force-pushed the add-websocket-iam-authorizer branch from 52bdb92 to ad97176 Compare July 31, 2022 11:37
@d0z0 d0z0 force-pushed the add-websocket-iam-authorizer branch from a4339ca to 712562c Compare July 31, 2022 14:24
@d0z0 d0z0 marked this pull request as ready for review July 31, 2022 16:22
comcalvi
comcalvi previously requested changes Aug 1, 2022
View reviewed changes
Copy link
Contributor

@comcalvi comcalvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand what functionality this adds. From our existing docs (the readme), it looks like this is already supported.

packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/lib/websocket/authorizer.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/lib/websocket/authorizer.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/lib/websocket/authorizer.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/lib/websocket/authorizer.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/lib/websocket/authorizer.ts Show resolved Hide resolved
@mergify mergify bot dismissed comcalvi’s stale review August 1, 2022 17:42

Pull request has been modified.

@d0z0 d0z0 force-pushed the add-websocket-iam-authorizer branch from bcc5c5f to 64e1598 Compare August 1, 2022 17:52
@d0z0 d0z0 force-pushed the add-websocket-iam-authorizer branch from 64e1598 to dbc63f5 Compare August 1, 2022 17:55
@d0z0
Copy link
Contributor Author

d0z0 commented Aug 1, 2022

I don't understand what functionality this adds. From our existing docs (the readme), it looks like this is already supported.

Thanks for the review. I should have provided more context, I've now updated the description as well

@d0z0 d0z0 requested a review from comcalvi August 1, 2022 19:43
corymhall
corymhall previously requested changes Aug 3, 2022
View reviewed changes
Copy link
Contributor

@corymhall corymhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor comment on the readme and then I'm good with this

packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md Show resolved Hide resolved
@mergify mergify bot dismissed corymhall’s stale review August 4, 2022 17:44

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 7177dc1
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Aug 4, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit a1a6e6c into aws:main Aug 4, 2022
josephedward pushed a commit to josephedward/aws-cdk that referenced this pull request Aug 30, 2022
@d0z0 @josephedward
feat(apigatewayv2): WebSocket API - IAM authorizer support (aws#21393)
ca58203 
This adds support for `AWS_IAM` as Authorizer for Websocket $connect route.

The CDK supports adding IAM Authorizer as `authorizationType` for `HttpApi`, but does not support it for `WebSocketApi` L2 construct

IAM Authorization is covered in the docs [here](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-control-access-iam.html). 

It works the same way as REST or HTTP API's where you can make an endpoint (connect route for websocket) publicly inaccessible, and setup an IAM user, and allow access using signed URL's

The above doc links back to [this](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html) section which explains the `AWS_IAM`

This is also available from the AWS console for Websocket connect Route:

<img width="1234" alt="Screenshot 2022-07-30 at 17 47 51" src="https://user-images.githubusercontent.com/3215958/181933570-99dc6019-8464-444f-bbc0-d1e26358b5ab.png">

---

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corymhall corymhall corymhall approved these changes

@comcalvi comcalvi Awaiting requested review from comcalvi

Assignees
No one assigned
Labels
p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@d0z0 @aws-cdk-automation @corymhall @comcalvi