Support Built-in Authorizer for SAM template

[oharaandrew314]

Currently, chalice does not let me generate a SAM template when my app includes a built-in authorizer. I get the following message when packaging my app:

SAM templates do not currently support these built-in auth handlers

It is absolutely possible to add to a sam template using swagger API Gateway Extensions. Can this be added in please?

Example Template:

  RestApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: !Ref Stage
      DefinitionBody:
        swagger: "2.0"
        ...
        paths:
          "/":
            get:
              x-amazon-apigateway-integration:
                httpMethod: POST
                type: aws_proxy
                uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${IndexFunction.Arn}/invocations
                responses: {}
              security:
                - authorizer: []
        securityDefinitions:
          authorizer:
            type: apiKey
            name: Authorization
            in: header
            x-amazon-apigateway-authtype: custom
            x-amazon-apigateway-authorizer:
              authorizerUri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${AuthorizerFunction.Arn}/invocations
              authorizerResultTtlInSeconds: 300
              type: token

[achautha]

I see this comment in the package.py

        # It doesn't look like SAM templates support everything
        # we need to fully support built in authorizers.
        # See: awslabs/serverless-application-model#49
        # and: https://forums.aws.amazon.com/thread.jspa?messageID=787920
        #
        # We might need to switch to low level cfn to fix this.

[oharaandrew314]

Despite SAM having no explicit support for it, the swagger API Gateway extensions do work. Maybe I'll come up with a POC this weekend if I can wrap my head around the chalice code.

[jamesls]

I'd like to get this working. IIRC correctly the issue wasn't the swagger portion, which as you mention is possible, but in getting the permissions set up so that API gateway is authorized to invoke the lambda function. I might be misremembering though, it's been a while.

Let me know if you're able to get a POC working.

If it's not possible, we could just drop to AWS::Lambda and AWS::ApiGateway resources. Looking at how the SAM templates are transformed, it wouldn't be too much work to do this for chalice, and we could still keep the Transform: 'AWS::Serverless-2016-10-31' line so it'd technically still be a SAM template.

[oharaandrew314]

In order to get around that problem, I had to add a lambda permission to the authorizer. It gives execute permission to all gateways, but realistically, who cares? I think that if you were to restrict the permission to the api gateway being created, it would create a circular dependency.

AuthorizerFunctionInvoationPolicy: 
    Type: AWS::Lambda::Permission
    Properties: 
      FunctionName: !GetAtt AuthorizerFunction.Arn
      Action: lambda:InvokeFunction
      Principal: apigateway.amazonaws.com

[oharaandrew314]

I have passing tests, but I've never patched a CLI app before. Do you have any suggestions on how to do a real-world test with the cli? Invoking chalice after using pip install -e . seems to keep using the non-patched cli.

[kyleknap]

Added support for this in this PR: #580. Should be available in next chalice release. Closing out issue.