Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(apigatewayv2): incorrect arn function causing unwanted behavior #33100

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(apigatewayv2): incorrect arn function causing unwanted behavior #33100

wants to merge 4 commits into from
+661 −47

Conversation

IkeNefcy
Copy link

@IkeNefcy IkeNefcy commented Jan 23, 2025
edited
Loading

Not opening issue since it would likely be P2 anyways.

Reason for this change

In websocket APIs in aws-apigatewayv2, the function arnForExecuteApi has essentially the same exact functionality as a REST API, which is not appropriate for Websockets which are fundamentally different.

The way I found this issue was I used arnForExecuteApi to put the arn of the api into an IAM Role. The reason for this was because I was trying to use an AIM authorizer, which from a React standpoint meant signing iam credentials from my Cognito id pool using Amplify lib. When doing this I used arnForExecuteApi from CDK to write the policy, I did not include any arguments, just the default.

The issue was that this was not working. I spent time diving deep on the issue in case it was the method in which I was signing the credentials, since I was not too familiar with this process. I also got the assistance of a Cloud Support Engineer from AWS to try and identify the problem.

Shout-out Mike Sacks.

The problem ended up being that that the resource policy was not correct. The policy that was generated by the function arnForExecuteApi was

"Resource": "arn:aws:execute-api:us-east-1:acc:apiId/*/*/*",

This is because the function itself has 3 values, stage, method and path, so when all are left in default states, this indicates all or *. So when adding each value at default you get /*/*/*, 3 x /*.

This is an issue because Websocket arns are not structured like this, and as it turns out iam prevents access if you have too many wild cards than applicable. This means the reason for getting access denied was not because of my signed url, but because having 1 extra /* means that you no longer have permissions.

Websocket arns are structured like this

arn:aws:execute-api:us-east-1:acc:apiId/*/$connect

In this example, * is the stage (this is what it shows on the console) and $connect is the route.
You can add as many routes as you want, but the main ones by default are $connect, $disconnect and $default for no matching route. So if I want to grant an IAM role to have access to all routes and all stages, I would use this:

"Resource": "arn:aws:execute-api:us-east-1:acc:apiId/*/*",

Note 2 x /* instead of 3.
Simply changing this by hand (deleting 2 characters) was enough to get the websocket to begin connecting via my signed url.

Description of changes

A re-write of the function for creating the arn

  /**
   * Get the "execute-api" ARN.
   *
   * @default - The default behavior applies when no specific route, or stage is provided.
   * In this case, the ARN will cover all routes, and all stages of this API.
   * Specifically, if 'route' is not specified, it defaults to '*', representing all routes.
   * If 'stage' is not specified, it also defaults to '*', representing all stages.
   */
  public arnForExecuteApi(route?: string, stage?: string): string {
    if (route&&!route.startsWith('$')) {
      route = `$${route}`;
    };

    return Stack.of(this).formatArn({
      service: 'execute-api',
      resource: this.apiId,
      arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
      resourceName: `${stage ?? '*'}/${route ?? '*'}`,
    });
  }

I removed "Method" and "Path" entirely since these are not even appropriate to use as terms for websockets. I used Route instead.

Description of how you validated changes

Updated Tests, there were 4 tests before:

  • get arnForExecuteApi
    • is now using route, and intentionally uses a route with no $ to check that the $ is being added correctly.
  • get arnForExecuteApi with default values
    • is now using route
  • get arnForExecuteApi with ANY method (removed)
    • doesn't make any sense here because "ANY" is not a term used with websockets, and method does not exist. Thus, removed this test
  • throws when call arnForExecuteApi method with specifing a string that does not start with / for the path argument. (removed)
    • This test is checking for a specific format for path. This could be applied to the route since you need to have the $ at the front, but since I baked this into the function to check if there is one or not, this test is not needed.

This leaves 2 total tests now.

Added a new integ function, integ.api-grant-invoke.ts and used --update-on-failed with my personal account to bootstrap new snapshots to match. For this test I included an iam role and 2 arns, one with default settings and one with
.arnForExecuteApi('connect', 'prod')
Intentionally left off the $ to check that it's being added.

All tests and integ are passing.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team January 23, 2025 17:00
@github-actions github-actions bot added p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Jan 23, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Jan 23, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ The title of the pull request should omit 'aws-' from the name of modified packages. Use 'apigatewayv2' instead of 'aws-apigatewayv2'.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

@IkeNefcy IkeNefcy changed the title fix(aws-apigatewayv2): incorrect arn function causing unwanted behavior fix(apigatewayv2): incorrect arn function causing unwanted behavior Jan 23, 2025
@aws-cdk-automation aws-cdk-automation dismissed their stale review January 23, 2025 17:06

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@IkeNefcy
Copy link
Author

IkeNefcy commented Jan 23, 2025
edited
Loading

err - METHOD aws-cdk-lib.aws_apigatewayv2.WebSocketApi.arnForExecuteApi: argument stage, not accepted anymore. [removed-argument:aws-cdk-lib.aws_apigatewayv2.WebSocketApi.arnForExecuteApi]
The build is marking this as a breaking change since the arguments of the function are changing. However this function wasn't working at all for Websockets before this, so it's unclear.
I'll leave it for approver to give advice on what to do in this case.

For clarity, "argument stage" mentioned is not the specific issue, stage in the old method was the 3rd argument, therefore this error should be interpreted as, breaking change due to argument count change.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: cb99fee
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@IkeNefcy
Copy link
Author

Same error, I merged to invoke a retry just in case.

@codecov Codecov
Copy link

codecov bot commented Jan 24, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.54%. Comparing base (4713bdd) to head (cb99fee).
Report is 11 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #33100   +/-   ##
=======================================
  Coverage   81.54%   81.54%           
=======================================
  Files         226      226           
  Lines       13777    13777           
  Branches     2414     2414           
=======================================
  Hits        11235    11235           
  Misses       2270     2270           
  Partials      272      272
Flag Coverage Δ
suite.unit 81.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 80.94% <ø> (ø)
packages/aws-cdk-lib/core 82.17% <ø> (ø)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@IkeNefcy @aws-cdk-automation