问题描述
Description: >
This template deploys an Api gateway.
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
VPCLink:
Description: vpc link for integration
Type: String
LoadBalancerListnerArn:
Description: private endpoint
Type: String
Resources:
HTTPApi:
Type: AWS::ApiGatewayV2::Api
Properties:
Name: !Ref EnvironmentName
ProtocolType: HTTP
LoadBalancerIntegration:
Type: AWS::ApiGatewayV2::Integration
Properties:
ApiId: !Ref HTTPApi
ConnectionType : VPC_LINK
ConnectionId: !Ref VPCLink
IntegrationType: HTTP_PROXY
IntegrationMethod: ANY
IntegrationUri: !Ref LoadBalancerListnerArn
PayloadFormatVersion: 1.0
FunctionExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [lambda.amazonaws.com]
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
AuthorizerFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role : !GetAtt FunctionExecutionRole.Arn
Runtime: nodejs12.x
Code:
ZipFile: !Sub |
exports.handler = function(event,context,callback) {
callback("Hello");
}
FunctionInvokeRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [apigateway.amazonaws.com]
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess
Authorizer:
Type: AWS::ApiGatewayV2::Authorizer
Properties:
Name: !Sub ${EnvironmentName}-GateWayAuthorizer
ApiId: !Ref HTTPApi
AuthorizerCredentialsArn: !GetAtt FunctionInvokeRole.Arn
AuthorizerPayloadFormatVersion: 2.0
AuthorizerType: REQUEST
AuthorizerUri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${AuthorizerFunction.Arn}/invocations"
AuthorizerResultTtlInSeconds: 500
EnableSimpleResponses: true
IdentitySource:
- $request.header.Authorization
Route:
Type: AWS::ApiGatewayV2::Route
Properties:
ApiId: !Ref HTTPApi
RouteKey: '$default'
AuthorizationType: CUSTOM
AuthorizerId: !Ref Authorizer
Target: !Join
- /
- - integrations
- !Ref LoadBalancerIntegration
CloudWatchLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Ref AWS::StackName
RetentionInDays: 365
Stage:
Type: AWS::ApiGatewayV2::Stage
Properties:
ApiId: !Ref HTTPApi
AutoDeploy: true
StageName: '$default'
AccessLogSettings:
DestinationArn: !GetAtt CloudWatchLogsGroup.Arn
Format: >-
{ "requestId":"$context.requestId","ip": "$context.identity.sourceIp","requestTime":"$context.requestTime","httpMethod":"$context.httpMethod","routeKey":"$context.routeKey","status":"$context.status","protocol":"$context.protocol","responseLength":"$context.responseLength","authorizerError" : " $context.authorizer.error" }
FunctionPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt AuthorizerFunction.Arn
Action: lambda:InvokeFunction
Principal: apigateway.amazonaws.com
SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${HTTPApi}/$default/$default"
Outputs:
InvokeURL:
Value: !Sub https://${HTTPApi}.execute-api.${AWS::Region}.amazonaws.com
我正在尝试将 API 网关附加到私有 ALB,所有这些都可以正常工作。但是为路由附加授权后,api总是以401结尾。授权者Lambda函数没有被调用,API网关访问日志的云监视日志没有显示任何错误。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)