I am using Claudia-api-builder to create and deploy the. https://github.com/claudiajs/example-projects/tree/master/custom-authorizers
My AWS custom authorizer looks like this :
let jwtDecode = require('jwt-decode');
var generatePolicy = function (authToken, methodArn) {
'use strict';
var tmp = methodArn.split(':'),
apiGatewayArnTmp = tmp[5].split('/'),
awsAccountId = tmp[4],
region = tmp[3],
restApiId = apiGatewayArnTmp[0],
stage = apiGatewayArnTmp[1];
let group = jwtDecode(authToken)["cognito:groups"];
if (group[0] === 'Admin') {
return {
'principalId': authToken.split('-')[0],
'policyDocument': {
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': [
'execute-api:Invoke'
],
'Resource': [
'arn:aws:execute-api:' + region + ':' + awsAccountId + ':' + restApiId + '/' + stage + '/GET/citizens',
'arn:aws:execute-api:' + region + ':' + awsAccountId + ':' + restApiId + '/' + stage + '/GET/citizens/{citizenId}/personal-details'
]
}]
}
};
}
exports.auth = function testAuth(event, context, callback) {
'use strict';
console.log('got event', event);
/*
* {
* "type":"TOKEN",
* "authorizationToken":"<Incoming bearer token>",
* "methodArn":"arn:aws:execute-api:<Region id>:<Account id>:<API id>/<Stage>/<Method>/<Resource path>"
* }
*/
if (event && event.authorizationToken && event.methodArn) {
callback(null, generatePolicy(event.authorizationToken, event.methodArn));
} else {
callback('Unauthorized');
}
};
The first API from the resource is working fine, but when I am calling the 2nd API i:e :
'arn:aws:execute-api:' + region + ':' + awsAccountId + ':' + restApiId + '/' + stage + '/GET/citizens/{citizenId}/personal-details'
It is giving me 403 Forbidden with :
{
"Message": "User is not authorized to access this resource"
}
In my case, Authorization Caching is also disabled
Any solution for this issue?
The resource should not be the path of the API Gateway method.
In fact it should be the Arn of the resource. You can get this from the AWS console by performing the following:
Resources
optionGET
method underneath citizens/{citizenId}/personal-details
). Click on it.Arn
available for you.When using path based parameters any parameter is replaced by an *
so this would become the below.
'arn:aws:execute-api:' + region + ':' + awsAccountId + ':' + restApiId + '/' + stage + '/GET/citizens/*/personal-details'