Serverless-application-model: Add Support for AuthorizationType to API

If I'm understanding you correctly, have you tried defining what you're trying to get in the console and exporting the swagger file? I've found that my SAM templates support Cognito Authorization definitions by exporting an existing API built in the console and just using it as a starting point.

Agreed, it is possible to make this work with a Swagger file, but that feels like an unnecessary step (export Swagger, modify, upload + manage separately) for something reasonably simple to configure as part of the API definition.

Thanks for the request. This is a good feature to have.

It looks like using Swagger stopped working. This was previously working:

securityDefinitions:
  authorizerFunc:
    type: "apiKey"
    name: "Authorisation"
    in: "header"
    x-amazon-apigateway-authtype: "custom"
    x-amazon-apigateway-authorizer:
      authorizerUri: "arn:aws:apigateway:ap-southeast-2:lambda:path/2015-03-31/functions/arn:aws:lambda:ap-southeast-2:00000000:function:${stageVariables.AuthorizerFunctionName}/invocations"
      authorizerResultTtlInSeconds: 300
      type: "token"

But now I get:

Errors found during import: Unable to create authorizer 'authorizerFunc': Authorizers only support Lambda function invocations.

What is the correct syntax now?

@mparaz, try nesting the authorizerUri value under a Fn::Sub element, i.e.:

authorizerUri:
  Fn::Sub: "arn:aws:apigateway:ap-southeast-2:lambda:path/2015-03-31/functions/arn:aws:lambda:ap-southeast-2:00000000:function:${stageVariables.AuthorizerFunctionName}/invocations"

I don't think the Fn::Sub will help here. That looks to be an API Gateway stage variable rather than a CloudFormation variable.

Fn::Sub together with ${stageVariables.MyVariableName}, where the variable is in the Variables section of the SAM template,

securityDefinitions:
          Authorizer:
            ...
            x-amazon-apigateway-authorizer:
              ...
              authorizerUri:
                Fn::Sub: "arn:aws:apigateway:<region>:lambda:path/2015-03-31/functions/arn:aws:lambda:<region>:<accid>:function:${stageVariables.MyVariableName}/invocations"
...
...
Variables:
        MyVariableName: !ImportValue MyImportedValue

does not seem to work for me in an inline swagger file and fails with the following error:
Status: FAILED. Reason: Template error: instance of Fn::Sub references invalid resource attribute stageVariables.MyVariableName.

Could someone confirm that this should work? Or maybe there is another way to access these variables with an inline swagger spec?

Its happening! #248

Whew, I spent most of the day trying to understand the workarounds and just checked this issue a few minutes ago! :-) Does #248 mean it will be straightforward to declare a AWS::ApiGateway::Authorizer resource with Type: "Cognito_user_pool"?

New to AWS, and I am incredibly interested in the CORS/Authorizer thing.

(As I want to build a web stack using Cognito).

@sanathkr Still don't understand what I should use for adding Authorizer to my Api Event. Where I can found any documentation about it?
What the syntax?

@WilixLead Authorizer is not yet supported natively in SAM. #248 is parent tracking issue for all APIGW features.

You can always enable custom authorizers by explicitly defining APIs using Swagger file and including the Swagger with AWS::Serverless::Api resource - https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-authorizer.html. Checkoug #25 for more discussion on how this could be implemented in Swagger.

I got really confused with this.
So I can create an Authorizer like this:

    "MyAuthorizer": {
      "Type": "AWS::ApiGateway::Authorizer",
      "Properties": {
        "Type": "COGNITO_USER_POOLS",
        "IdentitySource": "method.request.header.Auth",
        "Name": "MyAuthorizer",
        "ProviderARNs": ["arn:aws:cognito-idp:eu-west-1:XXXXXXXXXXXX:userpool/eu-west-1_XXXXXXXXXX"],
        "RestApiId": {
          "Ref": "ServerlessRestApi"
        }
      }

I struggle to understand if Cognito is considered as a custom authorizer or not ?
And so I do understand that SAM don't support Authorizer in the Serverless::Function right? Is there any workaround without writing swagger?

Thanks a lot in advance!

If you're interested in Authorizers and want to help shape the syntax, the RFC is over here https://github.com/awslabs/serverless-application-model/issues/512. I'm going to extend the RFC closure date until end of this week.

@jkahn117 @collinforrester @mparaz @demurray @WilixLead @marczis @johnbest @jaccus @lafiosca

See https://github.com/awslabs/serverless-application-model/pull/546 for recently added support