Merge pull request #378 from umccr/feature/377-iam-auth-mirror-of-api

Support IAM access to APIs

data_portal/urls.py

@@ -61,6 +61,9 @@
     path('files', views.search_file, name='file-search'),
     path('file-signed-url', views.sign_s3_file, name='file-signed-url'),
     path('storage-stats', views.storage_stats, name='storage-stats'),
+    # we mirror the API surface at /iam/ - and set that path up in sls with an IAM authorizer as opposed to a JWT one
+    path('iam/', include(router.urls)),
+    # the main API surface authenticated using JWTs
     path('', include(router.urls)),
 ]
 

serverless.yml

@@ -21,6 +21,8 @@ provider:
   iam:
     role: ${ssm:/data_portal/backend/lambda_iam_role_arn}
   endpointType: regional
+  logs:
+    httpApi: true
   httpApi:
     disableDefaultEndpoint: true
     payload: '2.0'
@@ -89,6 +91,17 @@ functions:
           path: /{proxy+}
           method: POST
           authorizer: cognitoJwtAuthorizer
+      # we mirror the API onto /iam/* and allow IAM access
+      - httpApi:
+          path: /iam/{proxy+}
+          method: GET
+          authorizer:
+            type: aws_iam
+      - httpApi:
+          path: /iam/{proxy+}
+          method: POST
+          authorizer:
+            type: aws_iam
     timeout: 28
 
   migrate:
@@ -300,6 +313,8 @@ custom:
     app: data_portal.wsgi.application
     packRequirements: false
   pythonRequirements:
+    # lambci don't seem to be updating their images so there is currently no python 3.9 without using custom
+    dockerImage: mlupin/docker-lambda:python3.9-build
     dockerizePip: non-linux
     layer: true
     zip: false