繁体   English   中英

AWS::ApiGatewayV2::Api - 简单的 WebSocket 配置抛出 INVALID_API_KEY(禁止)

[英]AWS::ApiGatewayV2::Api - Simple WebSocket configuration throwing INVALID_API_KEY (forbidden)

我没有为 Websocket 设置任何授权,它抛出INVALID_API_KEY

这是 SAM 模板:

##############################################################
# API GATEWAY: BrokerAuthenticateSocketApi
##############################################################
  BrokerAuthenticateSocketApi:
    Type: AWS::ApiGatewayV2::Api
    Properties:
      Name: !Sub "${AWS::StackName}-BrokerAuthenticateSocketApi"
      ProtocolType: WEBSOCKET
      RouteSelectionExpression: "$request.body.action"
      Tags:
        'Joba:Product': !Ref Product
        'Joba:Environment': !Ref Environment

  ApiStage: # Why would we need this: https://medium.com/@TomKeeber/aws-api-gateways-c048cec63046
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      StageName: !Ref ApiStageName
      AutoDeploy: true
      ApiId: !Ref BrokerAuthenticateSocketApi
      AccessLogSettings:
        DestinationArn: !GetAtt ApiGatewayAccessLogGroup.Arn
        Format: '{"requestTime":"$context.requestTime","requestId":"$context.requestId","routeKey":"$context.routeKey","status":$context.status,"responseLatency":$context.responseLatency,"integrationRequestId":"$context.integration.requestId","functionResponseStatus":"$context.integration.status","integrationLatency":"$context.integration.latency","integrationServiceStatus":"$context.integration.integrationStatus","ip":"$context.identity.sourceIp","userAgent":"$context.identity.userAgent","principalId":"$context.authorizer.principalId","validationErrorString":"$context.error.validationErrorString","integrationErrorMessage":"$context.integrationErrorMessage","errorMessage":"$context.error.message","errorResponseType":"$context.error.responseType"}'
      Tags:
        'Joba:Product': !Ref Product
        'Joba:Environment': !Ref Environment

  ApiAuthenticateRoute:
    Type: AWS::ApiGatewayV2::Route
    Properties:
      ApiId: !Ref BrokerAuthenticateSocketApi
      RouteKey: authenticate
      AuthorizationType: NONE # TODO: change this for Auth0
      OperationName: AuthenticateRoute
      Target: !Join 
        - /
        - - integrations
          - !Ref ApiAuthenticateRouteIntegration

  ApiAuthenticateRouteIntegration:
    Type: AWS::ApiGatewayV2::Integration
    Properties:
      ApiId: !Ref BrokerAuthenticateSocketApi
      IntegrationType: AWS
      IntegrationMethod: POST
      IntegrationUri: !Sub "arn:aws:apigateway:${AWS::Region}:states:action/StartExecution"
      CredentialsArn: !Sub "${ApiIntegrationStateMachineExecutionRole.Arn}" 
      TemplateSelectionExpression: \$default
      RequestTemplates: # see: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-mapping-template-reference.html
        "$default" : 
          Fn::Sub: >
            #set($statesInput='{"data": ' + $input.body + ',"webSocket": {"connectionId": "' + $context.connectionId + '", "domainName": "' + $context.domainName + '"}' + '}')
            #set($statesInput=$util.escapeJavaScript($statesInput).replaceAll("\\'","'"))
            { 
              "input": "$statesInput",
              "stateMachineArn": "${DownloadBrokerageNotesStateMachine}"
            }

  ApiAuthenticateRouteResponse: # https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-route-response.html
    Type: AWS::ApiGatewayV2::RouteResponse
    Properties:
      RouteId: !Ref ApiAuthenticateRoute
      ApiId: !Ref BrokerAuthenticateSocketApi
      RouteResponseKey: $default

  ApiAuthenticateRouteIntegrationResponse:
    Type: AWS::ApiGatewayV2::IntegrationResponse
    Properties: 
      ApiId: !Ref BrokerAuthenticateSocketApi
      IntegrationId: !Ref ApiAuthenticateRouteIntegration
      IntegrationResponseKey: $default

  ApiIntegrationStateMachineExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "sts:AssumeRole"
            Effect: Allow
            Principal:
              Service:
                - !Sub apigateway.${AWS::Region}.amazonaws.com
      Path: "/"
      Policies:
        - PolicyName: StateMachineExecutionAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "states:StartExecution"
                Resource: !Ref DownloadBrokerageNotesStateMachine
      Tags:
        - Key: 'Joba:Product'
          Value: !Ref Product
        - Key: 'Joba:Environment'
          Value: !Ref Environment

  ApiGatewayAccessLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Join [ "/", [ "joba", "apigateway", !Ref BrokerAuthenticateSocketApi, "access-logs"]]

使用Postman测试,成功连接到websocket: 在此处输入图像描述

当我尝试发送消息时(使用 SAM 模板中配置的action=authenticate ),它返回Forbidden 在此处输入图像描述

apigatway 日志显示INVALID_API_KEY

{
"requestTime":"28/Jan/2023:22:32:34 +0000",
"requestId":"feZUdEH2oAMFe9A=",
"routeKey":"-",
"status":403,
"responseLatency":-,
"integrationRequestId":"-",
"functionResponseStatus":"-",
"integrationLatency":"-",
"integrationServiceStatus":"-",
"userAgent":"-","principalId":"-",
"validationErrorString":"-",
"integrationErrorMessage":"-",
"errorMessage":"Forbidden",
"errorResponseType":"INVALID_API_KEY"
}

在 SAM 模板的任何部分,我都没有指定Authorization 事实上,我在AWS::ApiGatewayV2::Route中指定了AuthorizationType: NONE

我的配置有什么问题?

找到错误真的很难,但我做到了。 一个相当愚蠢的错误,但不完全理解为什么它必须是这样的。

在此处输入图像描述

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM