Chalice Deploy - Create Custom Authorizer along with Gateway API?

[abcondas]

I'm using chalice 0.6.0 (but I don't think this is possible in the latest version either) - is it possible to get chalice deploy to create the custom authorizer, along with the rest api and lambda function? If not, then how is this supposed to work? Use chalice deploy to create the api and lambda, then create the authorizer, then go back and add the authorizer id to the route definitions and redeploy the lambda function? There must be a way to do this through chalice deploy, please advise. And if not, then let this be my official request to add this functionality as quickly as possible. Thanks!

[jamesls]

There's a PR that adds back behavior in older versions of chalice: #322

Once that PR's merged, the workflow becomes:

• Create your custom authorizer lambda function (separate from chalice).
• In your app.py, create a CustomAuthorizer and provide it as an authorizer function.

    from chalice import CustomAuthorizer

    authorizer = CustomAuthorizer(
        'MyCustomAuth', header='Authorization',
        authorizer_uri=('arn:aws:apigateway:region:lambda:path/2015-03-01'
                        '/functions/arn:aws:lambda:region:account-id:'
                        'function:FunctionName/invocations'))

    @app.route('/custom-auth', methods=['GET'], authorizer=authorizer)
    def authenticated():
        return {"secure": True}

The next step we're looking at is providing your custom authorizer as part of the chalice app so chalice would handle deploying that lambda function as well.

There's a few things we need to properly handle multiple lambda functions in a single chalice app, but it is something that's on our backlog.

[abcondas]

Is it possible to pass in the execution role that the Authorizer runs as? It's creating a default execution role right now and that's just not going to work. I'm getting pretty desperate here, I'm about a day away from abandoning chalice altogether. Thanks.

[jamesls]

There's no support for chalice creating the authorizer function right now as part of chalice deploy. This is actively being worked on now, the proposal is here: #356

Let me know if you have any feedback on the proposal.

[abcondas]

It appears as if this code is creating the authorizer (not the function itself)- it definitely is. So, given that can you alllow for the passing in of the auth execution role?

[knoxilla]

@abcondas, as an alternative, what about having chalice apply a resource policy to the function so that api gateway is capable of invoking it for authorization? Since the function has to pre-exist at this point, adding a resource permission to it might be easier to manage than creating an execution role for the authorization invocation.

[stealthycoin]

@abcondas @knoxilla im going to close this since authorizers have been implemented:

#356
4d1751d

Feel free to open another issue if there is a bug/feature request related to authorizers.