无服务器框架中的共享Lambda授权者设置 [英] Shared Lambda authorizer setup in Serverless Framework

问题描述

我正在尝试创建一个自定义的Lambda授权器，该授权器将在几个不同的服务/无服务器堆栈之间共享.如果我在这里了解文档 https://serverless.com/framework/docs/providers/aws/events/apigateway/#note-while-using-authorizers-with-shared-api-gateway ，这意味着我需要在公共资源"服务/无服务器堆栈中创建共享授权者资源，然后从我的其他服务中引用该共享授权者.首先:我的理解正确吗?

I am trying to create a custom Lambda authorizer that will be shared between a few different services/serverless stacks. If I understand the documentation here https://serverless.com/framework/docs/providers/aws/events/apigateway/#note-while-using-authorizers-with-shared-api-gateway, that means that I need to create a shared authorizer resource in a "common resources" service/serverless stack, and then refer to that shared authorizer from my other services. First of all: Is my understanding correct?

如果我的理解正确，那么我的下一个问题将变成:我该怎么做?该文档没有为lambda授权者提供明确的示例，因此我尝试自定义它:

If my understanding is correct, my next question becomes: How do I do this? The documentation doesn’t provide a clear example for lambda authorizers, so here’s how I tried to customize it:

functions:
authorizerFunc:
handler: authorizer/authorizer.handler
runtime: nodejs8.10

resources:
Resources:
authorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
AuthorizerResultTtlInSeconds: 0
Name: Authorizer
Type: REQUEST
AuthorizerUri: ???
RestApiId:
Fn::ImportValue: myRestApiId

我不明白AuthorizerUri的语法应该是什么.我尝试了"Ref:authorizerFunc"，"Fn :: GetAtt:[authorizerFunc，Arn]"等等.

I don’t understand what the syntax for AuthorizerUri is supposed to be. I’ve tried "Ref: authorizerFunc", "Fn::GetAtt: [authorizerFunc, Arn]" etc. to no avail.

当我的authorizerUri正常工作时，是否只为我的Authorizer资源添加一个Output，然后从包含我的API Lambda的服务中为Fn :: ImportValue添加它?

When I get the authorizerUri working, do I just add an Output for my authorizer resource, then Fn::ImportValue it from the services containing my API Lambdas?

在无服务器论坛上链接到我的问题以供后代参考: https://forum .serverless.com/t/shared-lambda-authorizer/6447

Link to my question on the Serverless forum for posterity: https://forum.serverless.com/t/shared-lambda-authorizer/6447

推荐答案

显然我的答案现在已经过时了.有关较新版本的servicestack，请参阅其他答案.我不知道哪个答案是最佳/最新的，但是如果有人让我知道，我将更改该答案接受的答案.

Apparently my answer is now outdated. For newer versions of servicestack, see the other answers. I don't know which answer is best/most up-to-date, but if someone lets me know I'll change which answer is accepted to that one.

我最终使它能够工作，所以这是我设置身份验证器的serverless.yml的方法:

I eventually got it to work, so here's how I set up my autherizer's serverless.yml:

service: user-admin-authorizer

custom:
  region: ${file(serverless.env.yml):${opt:stage}.REGION}

provider:
  name: aws
  region: ${self:custom.region}

functions:
  authorizer:
    handler: src/authorizer.handler
    runtime: nodejs8.10

resources:
  Resources:
    Authorizer:
      Type: AWS::ApiGateway::Authorizer
      Properties:
        Name: Authorizer
        Type: REQUEST
        AuthorizerUri:
          Fn::Join: [ "",
            [
              "arn:aws:apigateway:",
              "${self:custom.region}",
              ":lambda:path/",
              "2015-03-31/functions/",
              Fn::GetAtt: ["AuthorizerLambdaFunction", "Arn" ],
              "/invocations"
            ]]
        RestApiId:
          Fn::ImportValue: api-gateway:${opt:stage}:rest-api-id
    apiGatewayLambdaPermissions:
      Type: AWS::Lambda::Permission
      Properties:
        FunctionName:
          Fn::GetAtt: [ AuthorizerLambdaFunction, Arn]
        Action: lambda:InvokeFunction
        Principal:
          Fn::Join: [ "",
          [
            "apigateway.",
            Ref: AWS::URLSuffix
          ]]

  Outputs:
    AuthorizerRef:
      Value:
        Ref: Authorizer
      Export:
        Name: authorizer-ref:${opt:stage}

注意事项:尽管授权者函数被称为授权者"，但与GetAtt一起使用时，您仍需要将首字母大写并在其名称后附加"LambdaFunction"，因此出于某种原因，"authorizer"会变成"AuthorizerLambdaFunction" .我还必须添加lambda权限资源.

Things to note: Even though the authorizer function is called "authorizer", you need to capitalize the first letter and append "LambdaFunction" to its name when using it with GetAtt, so "authorizer" becomes "AuthorizerLambdaFunction" for some reason. I also had to add the lambda permission resource.

API网关资源还需要两个输出，即API ID和API根资源ID.这是我的API网关的serverless.yml的设置方式:

The API gateway resource also needs two outputs, its API ID and its API root resource ID. Here's how my API gateway's serverless.yml is set up:

resources:
  Resources:
    ApiGateway:
      Type: AWS::ApiGateway::RestApi
      Properties:
        Name: ApiGateway

  Outputs:
    ApiGatewayRestApiId:
      Value:
        Ref: ApiGateway
      Export:
        Name: api-gateway:${opt:stage}:rest-api-id
    ApiGatewayRestApiRootResourceId:
      Value:
        Fn::GetAtt:
          - ApiGateway
          - RootResourceId
      Export:
        Name: api-gateway:${opt:stage}:root-resource-id

现在，您只需要向其他服务指定它们应该使用此API网关(导入的值是API网关的输出):

Now you just need to specify to your other services that they should use this API gateway (the imported values are the outputs of the API gateway):

provider:
  name: aws
  apiGateway:
    restApiId:
      Fn::ImportValue: api-gateway:${opt:stage}:rest-api-id
    restApiRootResourceId:
      Fn::ImportValue: api-gateway:${opt:stage}:root-resource-id

之后，可以将授权者添加到该服务的各个功能中，如下所示:

After that, the authorizer can be added to individual functions in this service like so:

          authorizer:
            type: CUSTOM
            authorizerId:
              Fn::ImportValue: authorizer-ref:${opt:stage}

这篇关于无服务器框架中的共享Lambda授权者设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！