首页 文章

API网关Cloudformation CORS

提问于
浏览
1

我正在尝试使用cloudformation在API网关中部署API . 这些方法需要启用CORS,我按照这里的模板Enable CORS for API Gateway in Cloudformation template来执行此操作 . 这是我的模板

AuthorizerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "sts:AssumeRole"
            Effect: "Allow"
            Principal:
              Service:
                - "apigateway.amazonaws.com"
      Policies:
        - PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Action:
                  - "lambda:invokeFunction"
                Effect: "Allow"
                Resource:
                  - !GetAtt "MyAPIAuthorizer.Arn"
          PolicyName: "lambda"

Authorizer:
  Type: AWS::ApiGateway::Authorizer
  Properties:
    AuthorizerResultTtlInSeconds: 0
    AuthorizerCredentials: !GetAtt "AuthorizerRole.Arn"
    AuthorizerUri:
      Fn::Join:
        - ""
        -
          - "arn:aws:apigateway:"
          - Ref: "AWS::Region"
          - ":lambda:path/2015-03-31/functions/"
          - Fn::GetAtt:
              - "MyAPIAuthorizer"
              - "Arn"
          - "/invocations"
    Type: "TOKEN"
    IdentitySource: "method.request.header.token"
    Name: "DefaultAuthorizer"
    RestApiId: !Ref RestApi

MyAPIAuthorizer:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: my-My-lambda-us-east-1
        S3Key: node_lambdas.zip
      Handler: My-APIAuthorizer.handler
      Role: !Ref Role
      Runtime: nodejs6.10
      Timeout: 300
      VpcConfig:
        SecurityGroupIds:
          - !Ref SecurityGroup
        SubnetIds: !Ref Subnets

MyAuthenticateUser:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: My-My-lambda-us-east-1
        S3Key: node_lambdas.zip
      Handler: My-AuthenticateUser.handler
      Role: !Ref Role
      Runtime: nodejs6.10
      Timeout: 300
      VpcConfig:
        SecurityGroupIds:
          - !Ref SecurityGroup
        SubnetIds: !Ref Subnets
      #Policies: AWSLambdaDynamoDBExecutionRole

MyAuthenticateUserApiGatewayInvoke:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt "MyAuthenticateUser.Arn"
      Principal: "apigateway.amazonaws.com"
      SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${RestApi}/*/*/*"
MyAuthenticateUserResource:
     Type: AWS::ApiGateway::Resource
     Properties:
       RestApiId: !Ref RestApi
       ParentId: !Ref ApiResourceParent
       PathPart: authenticateuser
MyAuthenticateUserPost:
      Type: AWS::ApiGateway::Method
      Properties:
        RestApiId: !Ref RestApi
        ResourceId: !Ref MyAuthenticateUserResource
        HttpMethod: POST
        AuthorizationType: NONE
        Integration:
          IntegrationHttpMethod: POST
          Type: AWS
          Uri: !Sub
            - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${lambdaArn}/invocations"
            - lambdaArn: !GetAtt "MyAuthenticateUser.Arn"
          IntegrationResponses:
          - StatusCode: 200
            ResponseParameters:
              method.response.header.Access-Control-Allow-Origin: "'*'"
        MethodResponses:
        - StatusCode: 200
          ResponseModels:
            application/json: 'Empty'
          ResponseParameters:
              method.response.header.Access-Control-Allow-Origin: true
MyAuthenticateUserOptions:
      Type: AWS::ApiGateway::Method
      Properties:
        RestApiId: !Ref RestApi
        ResourceId: !Ref MyAuthenticateUserResource
        HttpMethod: OPTIONS
        AuthorizationType: NONE
        Integration:
            IntegrationHttpMethod: POST
            IntegrationResponses:
            - StatusCode: 200
              ResponseParameters:
                method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,token'"
                method.response.header.Access-Control-Allow-Methods: "'POST,OPTIONS'"
                method.response.header.Access-Control-Allow-Origin: "'*'"
            Type: MOCK
        MethodResponses:
        - StatusCode: 200
          ResponseModels:
            application/json: 'Empty'
          ResponseParameters:
              method.response.header.Access-Control-Allow-Headers: true
              method.response.header.Access-Control-Allow-Methods: true
              method.response.header.Access-Control-Allow-Origin: true

MyFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: My-My-lambda-us-east-1
        S3Key: node_lambdas.zip
      Handler: My-Function.handler
      Role: !Ref Role
      Runtime: nodejs6.10
      Timeout: 300
      VpcConfig:
        SecurityGroupIds:
          - !Ref SecurityGroup
        SubnetIds: !Ref Subnets
      #Policies: AWSLambdaDynamoDBExecutionRole

MyFunctionApiGatewayInvoke:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt "MyFunction.Arn"
      Principal: "apigateway.amazonaws.com"
      SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${RestApi}/*/*/*"
MyFunctionResource:
     Type: AWS::ApiGateway::Resource
     Properties:
       RestApiId: !Ref RestApi
       ParentId: !Ref ApiResourceParent
       PathPart: Function
MyFunctionGet:
      Type: AWS::ApiGateway::Method
      Properties:
        RestApiId: !Ref RestApi
        ResourceId: !Ref MyFunctionResource
        HttpMethod: GET
        AuthorizationType: CUSTOM
        AuthorizerId: !Ref Authorizer
        Integration:
          IntegrationHttpMethod: GET
          Type: AWS
          Uri: !Sub
            - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${lambdaArn}/invocations"
            - lambdaArn: !GetAtt "MyFunction.Arn"
          IntegrationResponses:
          - StatusCode: 200
            ResponseParameters:
              method.response.header.Access-Control-Allow-Origin: "'*'"
        MethodResponses:
        - StatusCode: 200
          ResponseModels:
            application/json: 'Empty'
          ResponseParameters:
              method.response.header.Access-Control-Allow-Origin: true
MyFunctionOptions:
      Type: AWS::ApiGateway::Method
      Properties:
        RestApiId: !Ref RestApi
        ResourceId: !Ref MyFunctionResource
        HttpMethod: OPTIONS
        AuthorizationType: NONE
        Integration:
            IntegrationHttpMethod: GET
            IntegrationResponses:
            - StatusCode: 200
              ResponseParameters:
                method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,token'"
                method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS'"
                method.response.header.Access-Control-Allow-Origin: "'*'"
            Type: MOCK
        MethodResponses:
        - StatusCode: 200
          ResponseModels:
            application/json: 'Empty'
          ResponseParameters:
              method.response.header.Access-Control-Allow-Headers: true
              method.response.header.Access-Control-Allow-Methods: true
              method.response.header.Access-Control-Allow-Origin: true

部署API后, MyAuthenticateUserPost 方法返回带有以下响应标头的200

Access-Control-Allow-Origin→* Connection→keep-alive Content-Length→249 Content-Type→application / json Date→Fri,28 Sep 2018 21:15:38 GMT Via→1.1 sdlkfnsdlk.cloudfront.net(CloudFront )X-Amz-Cf-Id→dflknsdlfkn X-Amzn-Trace-Id→Root = sdlkfnsdlk; Sampled = 0 X-Cache→来自cloudfront的错误x-amz-apigw-id→sdklfnsdlk x-amzn-RequestId→slkfnlsdk

但是 MyFunctionGet 方法返回带有以下响应头的500

连接→保持活动内容长度→36内容类型→应用程序/ json日期→星期五,星期五,288 2018 21:19:04 GMT Via→1.1 slkdfnk.cloudfront.net(CloudFront)X-Amz-Cf-Id→ dsklfnsdlk X-Cache→来自cloudfront的错误x-amz-apigw-id→dlsfknsdlkfn x-amzn-RequestId→sdkfnsdkln

500响应缺少 Access-Control-Allow-OriginX-Amzn-Trace-Id 标头 . 两种方法之间的区别在于,工作方法是POST并且没有授权,而不工作的方法是GET并且具有自定义Authorizer . 如果我进入API网关控制台,选择GET方法 - >集成请求,并保存Lambda函数,我可以让方法返回500工作
enter image description here

在cloudformation部署之后,该功能已经存在于该字段中,并且我已在模板中添加了权限,但除非我执行此手动步骤,否则API网关方法将无法工作 . 我有大约50种方法,所以我想完全自动化这个 . 我在模板中遗漏了什么吗?

Update: 为了响应@jny,我在我的Get方法中更新了集成响应

IntegrationResponses:
              - StatusCode: 200
                SelectionPattern: "2\\{d}2"
                ResponseParameters:
                  method.response.header.Access-Control-Allow-Origin: "'*'"
              - StatusCode: 300
                SelectionPattern: "3\\{d}2"
                ResponseParameters:
                  method.response.header.Access-Control-Allow-Origin: "'*'"
              - StatusCode: 400
                SelectionPattern: "4\\{d}2"
                ResponseParameters:
                  method.response.header.Access-Control-Allow-Origin: "'*'"
              - StatusCode: 500
                SelectionPattern: "5\\{d}2"
                ResponseParameters:
                  method.response.header.Access-Control-Allow-Origin: "'*'"
            MethodResponses:
            - StatusCode: 200
              ResponseModels:
                application/json: 'Empty'
              ResponseParameters:
                  method.response.header.Access-Control-Allow-Origin: true
            - StatusCode: 300
              ResponseModels:
                application/json: 'Empty'
              ResponseParameters:
                  method.response.header.Access-Control-Allow-Origin: true
            - StatusCode: 400
              ResponseModels:
                application/json: 'Empty'
              ResponseParameters:
                  method.response.header.Access-Control-Allow-Origin: true
            - StatusCode: 500
              ResponseModels:
                application/json: 'Empty'
              ResponseParameters:
                  method.response.header.Access-Control-Allow-Origin: true

我也对我的选项方法进行了相同的更新

IntegrationResponses:
                - StatusCode: 200
                  SelectionPattern: "2\\{d}2"
                  ResponseParameters:
                    method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,token'"
                    method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS'"
                    method.response.header.Access-Control-Allow-Origin: "'*'"
                - StatusCode: 300
                  SelectionPattern: "3\\{d}2"
                  ResponseParameters:
                    method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,token'"
                    method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS'"
                    method.response.header.Access-Control-Allow-Origin: "'*'"
                - StatusCode: 400
                  SelectionPattern: "4\\{d}2"
                  ResponseParameters:
                    method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,token'"
                    method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS'"
                    method.response.header.Access-Control-Allow-Origin: "'*'"
                - StatusCode: 500
                  SelectionPattern: "5\\{d}2"
                  ResponseParameters:
                    method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,token'"
                    method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS'"
                    method.response.header.Access-Control-Allow-Origin: "'*'"
            MethodResponses:
            - StatusCode: 200
              ResponseModels:
                application/json: 'Empty'
              ResponseParameters:
                  method.response.header.Access-Control-Allow-Headers: false
                  method.response.header.Access-Control-Allow-Methods: false
                  method.response.header.Access-Control-Allow-Origin: false
            - StatusCode: 300
              ResponseModels:
                application/json: 'Empty'
              ResponseParameters:
                  method.response.header.Access-Control-Allow-Headers: false
                  method.response.header.Access-Control-Allow-Methods: false
                  method.response.header.Access-Control-Allow-Origin: false
            - StatusCode: 400
              ResponseModels:
                application/json: 'Empty'
              ResponseParameters:
                  method.response.header.Access-Control-Allow-Headers: false
                  method.response.header.Access-Control-Allow-Methods: false
                  method.response.header.Access-Control-Allow-Origin: false
            - StatusCode: 500
              ResponseModels:
                application/json: 'Empty'
              ResponseParameters:
                  method.response.header.Access-Control-Allow-Headers: false
                  method.response.header.Access-Control-Allow-Methods: false
                  method.response.header.Access-Control-Allow-Origin: false

调用API方法时,我仍然看到500响应

cors aws-lambda amazon-cloudformation aws-api-gateway

1 回答

  • 0

    您必须为所有状态配置ResponseParameters,而不仅仅是200 .

    像这样的东西:

    "IntegrationResponses": [
        {
          "ResponseParameters":{
            "method.response.header.Access-Control-Allow-Origin": "'*'"
          },
        "StatusCode": 200,
        "ResponseTemplates": {
        ....
        }
      },
        {
          "StatusCode": 500,
          "SelectionPattern": "5\\{d}2",
          "ResponseTemplates": {
              ....
          }
        }
      ],

    和方法响应相同,例如:

    "MethodResponses": [{
      "ResponseModels": {
        "application/json": "Empty"
      },
      "ResponseParameters":{
        "method.response.header.Access-Control-Allow-Origin": "'*'"
      },
      "StatusCode": "200"
    },
      {
        "StatusCode": "500"
      }
    ]
    回复于

相关问题