1

我试图授权虽然AWS API网关的定制授权的API调用,
这基本上是一个自定义的lambda函数这需要在以下格式 -AWS API网关自定义授权者拉姆达

{ 
    "authorizationToken": "0c34ba00bde34200b383abe22bcfef96", 
    "methodArn": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/", 
    "type": "TOKEN" 
} 

的下列头并预计在以下格式的响应 -

{ 
    "principalId": "xxxxxxx", // the principal user identification associated with the token send by the client 
    "policyDocument": { // example policy shown below, but this value is any valid policy 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
     "Effect": "Allow", 
     "Action": [ 
      "execute-api:Invoke" 
     ], 
     "Resource": [ 
      "arn:aws:execute-api:us-east-1:xxxxxxxxxxxx:xxxxxxxx:/test/*/mydemoresource/*" 
     ] 
     } 
    ] 
    } 
} 

我能够做的内在逻辑与autho rizationToken和验证功能是否应在“允许”或“拒绝”的政策回应,
但我得到一个解析错误,当我试图从控制台测试认证器,
以下是我的请求日志 -

Execution log for request test-request 
Thu Jun 29 11:48:10 UTC 2017 : Starting authorizer: 1o3dvk for request: test-request 
Thu Jun 29 11:48:10 UTC 2017 : Incoming identity: **************************cfef96 
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request URI: https://lambda.ap-southeast-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:ap-southeast-1:855399270504:function:um_guestSessionAuthoriser/invocations 
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request headers: {x-amzn-lambda-integration-tag=test-request, Authorization=*********************************************************************************************************************************************************************************************************************************************************************************************************************************************751e60, X-Amz-Date=20170629T114810Z, x-amzn-apigateway-api-id=z6t3cv0z4m, X-Amz-Source-Arn=arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/authorizers/1o3dvk, Accept=application/json, User-Agent=AmazonAPIGateway_z6t3cv0z4m, X-Amz-Security-Token=FQoDYXdzEHQaDOcIbaPscYGsl1wF4iLBAxzOTpZlR2r3AO3g96xwhRuQjEhU9OjOaRieBWQPeosNqv53aGKnBTT2CmkrVzHo3UqOdT1eakuS7tAXAbEcUIHVheWpBnvxqTkaPcknRL7QE79RSqVeryoXo2R1Kmk0Q9Iq+JGFlOJYQQJqvY/hcUg189xqbpTGrhZjcA+pjuSp+M9D97Kce0VP0e3peu/YvON0eGvUlj59MAJAwGVPIzplMKTDFrFg5NKEj79RSxNrNE8y4bAebOwlD8xLv649Zny7++xlMBBwHqMNHu3K9lFXSnKY9DHf6kvezZmpoFB2uu8WbrpInH0eQ/bIAd [TRUNCATED] 
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request body after transformations: {"type":"TOKEN","methodArn":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","authorizationToken":"0c34ba00bde34200b383abe22bcfef96"} 
Thu Jun 29 11:48:10 UTC 2017 : Sending request to https://lambda.ap-southeast-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:ap-southeast-1:855399270504:function:um_guestSessionAuthoriser/invocations 
Thu Jun 29 11:48:21 UTC 2017 : Authorizer result body before parsing: {"principalId":"user","policyDocument":{"version":"2012-10-17","statement":[{"resource":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","action":"execute-api:Invoke","effect":"Allow"}]}} 
Thu Jun 29 11:48:21 UTC 2017 : Execution failed due to configuration error: Could not parse policy: {"version":"2012-10-17","statement":[{"resource":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","action":"execute-api:Invoke","effect":"Allow"}]} 
Thu Jun 29 11:48:21 UTC 2017 : AuthorizerConfigurationException 

我的lambda函数使用Java和我已经建立和使用AA POJO类(setter方法的getter类)
美化拉姆达响应我的政策看起来像如下后返回的政策 -

{ 
    "principalId": "user", 
    "policyDocument": { 
     "version": "2012-10-17", 
     "statement": [{ 
      "resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/", 
      "action": "execute-api:Invoke", 
      "effect": "Allow" 
     }] 
    } 
} 

我想知道为什么它不能解析我的回应?
按劝我试图利用响应IAM策略,
我用com.google.gson.annotations.SerializedName进口@SerializedName,并能得到下面的输出 -

{ 
    "principalId": "user", 
    "policyDocument": { 
     "version": "2012-10-17", 
     "statement": [{ 
      "effect": "Deny", 
      "action": ["execute-api:Invoke"], 
      "resource": ["arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/"] 
     }] 
    } 
} 

但它看起来像一个很奇怪的之间发生的我的lambda响应和API网关,
变量正在内部降低到某个地方,
而且我仍然得到相同的解析错误,
它是否接受响应我ñ其他格式?字符串也没有工作。

我还应该尝试什么?我的政策格式错了吗?
我有两个不同的策略格式从这些网站 -
1. http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
2. https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/

回答

4

你的策略属性需要适当的资本。相反的:

{ 
    "principalId": "user", 
    "policyDocument": { 
     "version": "2012-10-17", 
     "statement": [{ 
      "resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/", 
      "action": "execute-api:Invoke", 
      "effect": "Allow" 
     }] 
    } 
} 

应该是:

{ 
    "principalId": "user", 
    "PolicyDocument": { 
     "Version": "2012-10-17", 
     "Statement": [{ 
      "Resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/", 
      "Action": "execute-api:Invoke", 
      "Effect": "Allow" 
     }] 
    } 
} 

还不如用 “PrincipalId”,以保持一致性。

相关问题