未经身份验证的方法缺少身份验证令牌 [英] Missing Authentication Token on Unauthenticated Method

问题描述

我具有以下Terraform用于在API网关上为我的API设置CORS方法:

I have the following Terraform for setting up a CORS method for my API on API Gateway:

resource "aws_api_gateway_method" "default" {
  rest_api_id   = "${var.rest_api_id}"
  resource_id   = "${var.resource_id}"
  http_method   = "OPTIONS"
  authorization = "NONE"
}

resource "aws_api_gateway_method_response" "default" {
  rest_api_id = "${var.rest_api_id}"
  resource_id = "${var.resource_id}"
  http_method = "${aws_api_gateway_method.default.http_method}"
  status_code = "200"

  response_parameters = {
    "method.response.header.Access-Control-Allow-Headers" = true,
    "method.response.header.Access-Control-Allow-Methods" = true,
    "method.response.header.Access-Control-Allow-Origin"  = true,
  }
}

resource "aws_api_gateway_integration" "default" {
  rest_api_id          = "${var.rest_api_id}"
  resource_id          = "${var.resource_id}"
  http_method          = "${aws_api_gateway_method.default.http_method}"
  type                 = "MOCK"
  passthrough_behavior = "WHEN_NO_MATCH"

  request_templates {
    "application/json" = "{ \"statusCode\": 200 }"
  }
}

resource "aws_api_gateway_integration_response" "default" {
  rest_api_id = "${var.rest_api_id}"
  resource_id = "${var.resource_id}"
  http_method = "${aws_api_gateway_method.default.http_method}"
  status_code = "${aws_api_gateway_method_response.default.status_code}"

  response_parameters = {
    "method.response.header.Access-Control-Allow-Headers" = "'${join(",", var.allow_headers)}'",
    "method.response.header.Access-Control-Allow-Methods" = "'${join(",", var.allow_methods)}'",
    "method.response.header.Access-Control-Allow-Origin"  = "'${var.allow_origin}'",
  }
}

我的变量定义为:

variable "allow_headers" {
  type = "list"
  default = ["Content-Type", "X-Amz-Date", "Authorization", "X-Api-Key", "X-Amz-Security-Token", "X-Requested-With"]
}

variable "allow_methods" {
  type = "list"
  default = ["*"]
}

variable "allow_origin" {
  default = "*"
}

variable "resource_id" {
  description = "The API Gateway Resource id."
}

variable "rest_api_id" {
  description = "The API Gateway REST API id."
}

当我使用API​​ Gateway Web控制台测试端点时，它会按预期工作:

When I use the API Gateway web console to test the endpoint, it works as expected:

但是，当我尝试卷曲端点时，我得到了403:

However, when I try curl the endpoint, I get a 403:

$ curl -is -X OPTIONS https://api.naftuli.wtf/echo.json
HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 42
Connection: keep-alive
Date: Fri, 23 Feb 2018 20:45:09 GMT
x-amzn-RequestId: 70089d6b-18da-11e8-9042-c3baac8eebde
x-amzn-ErrorType: MissingAuthenticationTokenException
X-Cache: Error from cloudfront
Via: 1.1 5a582ba7fbecfc5948507c13d8d2078a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: VB2j87V6_wfSqXkyIPeqz8vjdDF5vBIi0DsJmIAn8kgyIjSAfkcf7A==

{"message":"Missing Authentication Token"}

该方法显然是用authorization = "NONE"配置的，我可以从API Gateway控制台触发它，而不会出现问题.

The method is clearly configured with authorization = "NONE" and I can trigger it from the API Gateway console without issue.

如何允许访问此方法?我觉得我已经尽力了.

How can I allow access to this method? I feel like I've done all that I can.

推荐答案

TL; DR 添加/更改每个新资源/方法后，必须创建一个新部署.

TL;DR After every new resource/method added/changed, you must create a new deployment.

Terraform仅创建一次部署，并且从不更新它，因为它的任何数据都不会更改.我找到了解决方法:

Terraform creates the deployment once and never updates it because none of its data changes. I have found a workaround to this:

resource "aws_api_gateway_stage" "default" {
  stage_name = "production"
  rest_api_id = "${aws_api_gateway_rest_api.default.id}"
  deployment_id = "${aws_api_gateway_deployment.default.id}"

  lifecycle {
    # a new deployment needs to be created on every resource change so we do it outside of terraform
    ignore_changes = ["deployment_id"]
  }
}

我告诉舞台忽略deployment_id属性，以使Terraform不会在没有任何变化的地方显示更改.

I tell the stage to ignore the deployment_id property so that Terraform won't show changes where there aren't any.

为了创建新的部署，我只是将此命令添加到了我的Makefile deploy目标中:

In order to create a new deployment, I simply added this command to my Makefile deploy target:

deploy:
    terraform apply -auto-approve
    aws apigateway create-deployment \
        --rest-api-id $(terraform output -json | jq -r .rest_api_id.value) \
        --stage-name $(terraform output -json | jq -r .stage_name.value)

这将为给定阶段创建我的REST API的新部署.

This creates a new deployment of my REST API for the given stage.

我敢肯定，有更好的方法可以完全在Terraform中完成此操作，但此刻它们仍在我身旁.

I am sure there are better ways of maybe doing this entirely in Terraform, but they elude me at the moment.

这篇关于未经身份验证的方法缺少身份验证令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！