Serverless-application-model: Enable CORS options in `Api` event type

Created on 7 Apr 2018 · 15Comments · Source: aws/serverless-application-model

Description:

At the moment it seems to be possible to use the Cors options only with resources of type AWS::Serverless::Api, for which you have to create a dedicated swagger file.

I have seen pretty often people preferring to just create Lambda functions by using the type AWS::Serverless::Function and then attaching to it an event of type Api.

I was expecting the Cors option to be exposed to an Api event as well, but that's apparently not the case.

Example:

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Some sample API

Resources:
  purchaseTicket:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./src
      Handler: index.purchaseTicket
      Runtime: nodejs8.10
      Role: !GetAtt MyRole.Arn
      Events:
        Endpoint:
          Type: Api
          Properties:  # <--- No way to define Cors here!
            Path: /purchase
            Method: post

Is there something I am missing here? If this is really a missing feature, is there any plan to include support for the Cors option in the Api event type?

Personally, I think it will be very convenient to have this and I am quite sure it would lead to a more consistent Developer Experience.

Source

lmammino

👍4

Most helpful comment

@sanathkr, @jfuss : I just updated my serverless/SAM workshop to use globals and the CORS options: https://github.com/lucpod/ticketless

Maybe there are parts of it that can be reused to improve the docs. CORS is introduced in Lesson 6.

What do you guys think?

lmammino on 8 Apr 2018

👍3 ❤2 🎉2

All 15 comments

This is available. Cors is exposed on API using Globals. You can define Cors for all your APIs but not at individual API level.

sanathkr on 7 Apr 2018

👍6 🚀1

Thanks for the quick reply @sanathkr, do you have an example for this?

lmammino on 7 Apr 2018

Skip that, Just found it :) https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#globals-section

Gonna close the issue! Thanks!

lmammino on 7 Apr 2018

❤3

https://github.com/awslabs/serverless-application-model/blob/develop/examples/2016-10-31/implicit_api_settings/template.yaml

sanathkr on 7 Apr 2018

👍3

Doc update? I have been asked this question once or twice already as well.

jfuss on 7 Apr 2018

👍1

@sanathkr, @jfuss : I just updated my serverless/SAM workshop to use globals and the CORS options: https://github.com/lucpod/ticketless

Maybe there are parts of it that can be reused to improve the docs. CORS is introduced in Lesson 6.

What do you guys think?

lmammino on 8 Apr 2018

👍3 ❤2 🎉2

@lmammino Hey! I was going through your lessons. You have done a fabulous job with explaining serverless and SAM specifically. I will start a Github Issue for writing SAM User Guide and tag you. Let’s put our thoughts together to come up with a structure and potentially borrow some aspects of your docs into this user guide.

A user guide for SAM is really needed.

sanathkr on 8 Apr 2018

❤1

Just in case it might help anyone, here's a link to the AWS Startup Kit Serverless Workload, which has CORS enabled for its sample RESTful API: https://github.com/aws-samples/startup-kit-serverless-workload.

rabowskyb on 10 May 2018

❤2 🎉1 👍1

Hello!

I'm really struggling getting CORS working with my POST method.
I've attempted the SAM globals route - with no success. The OPTIONS method is created, but the headers are not added to the POSTT response.

Likewise, the longer route of manually adding a options method and post response as described here
https://docs.aws.amazon.com/apigateway/latest/developerguide/enable-cors-for-resource-using-swagger-importer-tool.html
just does not seem to work.

Happy to post examples, but wondered if anyone else had this problem?

tkeeber on 29 Oct 2018

👍6

agree with @tkeeber Global cors option is only doing half work, its still a pain to get it working.

manishgkasera on 3 Nov 2018

👍2

@tkeeber , I had a similar problem. According to here, there are actually two ways of authorizing CORS:

Via a "preflight request" to OPTIONS
Via headers on the direct response

Apparently Preflight requests aren't made on "simple requests" ("_a GET request or a POST request with form data that has no authentication_"). If you're in that bucket (as I am!), you will need to set the headers manually on your response. Here's an example where I added them manually - though if you're using Python, you may prefer this.

scubbo on 2 Jan 2019

👍2 ❤1

Same problem. I have allowed Cors on AWS::Serverless::API, but it is still not working.

MatteoGioioso on 6 Nov 2019

@MatteoGioioso Can you share your template and the exact issue you are facing? We would love to root cause the issue..

praneetap on 8 Nov 2019

@praneetap Thanks for the answer. I took another approach. I just assign these headers on my response

"Access-Control-Allow-Origin":  "*",
"Access-Control-Allow-Headers": "*",
"Access-Control-Allow-Methods": "*",

MatteoGioioso on 9 Nov 2019

This is available. Cors is exposed on API using Globals. You can define Cors for all your APIs but not at individual API level.

@sanathkr Do you think it's possible to set on an individual API level now? Else what is the best practice to handle different headers for public and private APIs? (IE. I want private APIs to have authorization header and public NOT to have authorization header. I would like to avoid two different YAML files, but that seems like one way to do it.