API网关返回403-禁止 [英] API Gateway returning 403 - Forbidden
问题描述
我有一个API网关,该网关的端点由AWS Lambda代理集成实现.我还为此端点配置了自定义授权者.我看到一个问题,我对此端点发出的第一个请求成功,但是其他呼叫将失败;我收到403-禁止的错误.如果我稍等片刻,我可以发出另一个成功的请求,但随后我开始遇到相同的问题.
I have an API Gateway with an endpoint that is fulfilled by AWS Lambda proxy integration. I have also configured a custom authorizer for this endpoint. I am seeing an issue where the first request that I make to this endpoint is successful, but additional calls will fail; I get a 403 - Forbidden error. If I wait a while, I can make another request that succeeds but then I start seeing the same problem.
这是我给授权者的代码:
Here's my code for the authorizer:
const jwt = require('jsonwebtoken');
exports.authorizer = async function (event, context) {
const bearerToken = event.authorizationToken.slice(7);
const { payload } = jwt.decode(bearerToken);
return {
principalId: payload.sub,
policyDocument: {
Version: '2012-10-17',
Statement: [{
Action: 'execute-api:Invoke',
Effect: 'Allow',
Resource: event.methodArn,
}],
},
};
};
在该端点的API网关日志中,我可以看到授权者正在返回Allow
,但是我仍然可以看到授权失败:
In the API Gateway logs for this endpoint I can see that the authorizer is returning Allow
but I can still see that the authorization fails:
(50ac5f87-e152-4933-a797-63d84a528f61)客户无权执行此操作.
(50ac5f87-e152-4933-a797-63d84a528f61) The client is not authorized to perform this operation.
有人知道如何或为什么会发生这种情况吗?
Does anyone know how or why this could happen?
推荐答案
我认为问题出在授权者发回的响应中.在您的保单文件中,您可以看到您正在返回Resource: event.methodArn
.
The problem I think is in the response your authorizer is sending back. In your policy document you can see you are returning Resource: event.methodArn
.
这通常会起作用,只要您的授权者不缓存来自您的自定义授权者的响应(默认情况下处于启用状态).当您发出请求API网关并获取与当前请求的请求ARN不匹配的缓存的授权者响应时,就会遇到您遇到的问题. 这篇文章详细说明了Lambda授权者的工作方式,包括缓存.
This would typically work, provided that your authorizer is not caching the response from your custom authorizer (this is on by default). The problem you're experiencing arises when you make a request API Gateway and get back a cached authorizer response that doesn't match the requested ARN of the current request. This post explains more about how Lambda authorizers work, including caching.
您可以通过进入AWS控制台并为自定义授权者禁用缓存来验证是否存在此问题;完成此操作后,您将不再遇到此问题.
You can verify that this is the problem by going into the AWS console and disabling caching for your custom authorizer; once you do this you should no longer experience this problem.
那么您如何解决这个长期问题?有两种选择:
So how can you fix this long term? There's a couple of options:
禁用缓存:这是最简单的解决方案.缺点是您现在要在每个请求中调用授权者,这会给您的API带来更多延迟.
Disable caching: This is the simplest solution. The downside is that you're now invoking your authorizer with every request which will introduce more latency into your API.
返回更广泛的政策:这是最好的解决方案,但更为复杂.这里有几个选项,您可以在授权者响应中返回多个Allow
策略,这些策略适用于使用该授权者的任何端点.
Return a broader policy: This is the best solution, but more complicated. There's a couple options here, you can return multiple Allow
policies in your authorizer response that apply to any endpoint that uses this authorizer.
如果您查看格式授权者请求,您会看到methodArn
的格式如下:
If you look at the format of an authorizer request you'll see that the methodArn
is in the following format:
{
"type":"TOKEN",
"authorizationToken":"{caller-supplied-token}",
"methodArn":"arn:aws:execute-api:{regionId}:{accountId}:{appId}/{stage}/{httpVerb}/[{resource}/[{child-resources}]]"
}
所以您可能会为methodArn
返回这样的内容:
So you're probably returning something like this for the methodArn
:
arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/GET/my-resource/e56bde3c-7c77-46c6-bdf0-ab4a8cb5f5ca
适用于此端点的任何资源的更广泛的策略是:
A broader policy that would apply to any resource for this endpoint would be:
arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/GET/my-resource/*
如果您有多个使用相同授权者的端点,则可以返回多个策略:
If you have multiple endpoints that use this same authorizer, then you can return multiple policies:
{
"principalId": "user",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/GET/my-resource/*"
},
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/POST/my-resource"
}
]
}
}
这篇关于API网关返回403-禁止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!