Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(apigatewayv2): websocket api: grant manage connections #16872

Merged
merged 13 commits into from
Nov 9, 2021
Merged

feat(apigatewayv2): websocket api: grant manage connections #16872

merged 13 commits into from
Nov 9, 2021

Conversation

tmokmss
Copy link
Contributor

@tmokmss tmokmss commented Oct 8, 2021
edited
Loading

closes #14828

By this PR, we can allow access to management API by the following code.

    const api = new WebSocketApi(stack, 'Api');
    const defaultStage = new WebSocketStage(stack, 'Stage', {
      webSocketApi: api,
      stageName: 'dev',
    });
    const principal = new User(stack, 'User');

    api.grantManagementApiAccess(principal); // allow access to the management API for all the stage
    defaultStage.grantManagementApiAccess(principal); // allow access to the management API for a specific stage

We use WebSocket API Management API to send messages to a WebSocket API. (doc) To use the API, we must set IAM statement as below (doc):

    {
      "Effect": "Allow",
      "Action": [
        "execute-api:ManageConnections"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:account-id:api-id/stage-name/POST/@connections/*"
      ]
    }

We need /* at the end of resource ARN because there will be arbitrary strings (connectionId).
i.e. {apiArn}/{stageName}/POST/@connections/{connectionId}

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Oct 8, 2021

@tmokmss tmokmss changed the title feat(apigatewayv2): grant permissions for sending messages to a WebSocket fix(apigatewayv2): grant permissions for sending messages to a WebSocket Oct 8, 2021
@peterwoodworth peterwoodworth changed the title fix(apigatewayv2): grant permissions for sending messages to a WebSocket fix(apigatewayv2): grant permissions for sending messages to a WebSocket Oct 21, 2021
@github-actions github-actions bot added the @aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 label Oct 21, 2021
nija-at
nija-at previously requested changes Oct 28, 2021
View reviewed changes
Copy link
Contributor

@nija-at nija-at left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @tmokmss. See my comments below.

Please add a few sentences to the README describing this new API.

packages/@aws-cdk/aws-apigatewayv2/lib/websocket/api.ts Outdated
Comment on lines 14 to 19
/**
* The ARN of the WebSocket API.
*
* @attribute
*/
readonly apiArn: string;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this from here. The Arn is not attribute of IApi.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, thanks. Instead we might want to create some API like arnForExecuteApi as in apigateway.RestApi.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, makes sense.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add this API for both httpApi and webSocketApi in a future PR.

packages/@aws-cdk/aws-apigatewayv2/lib/websocket/api.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/lib/websocket/api.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/lib/websocket/api.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/test/websocket/api.test.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/lib/websocket/stage.ts Outdated Show resolved Hide resolved
@nija-at nija-at changed the title fix(apigatewayv2): grant permissions for sending messages to a WebSocket feat(apigatewayv2): websocket api: grant manage connections Oct 28, 2021
@mergify mergify bot dismissed nija-at’s stale review October 28, 2021 16:04

Pull request has been modified.

@tmokmss
Copy link
Contributor Author

tmokmss commented Oct 29, 2021

@nija-at thank you for the review! now ready for a new review:)

nija-at
nija-at previously requested changes Oct 29, 2021
View reviewed changes
Copy link
Contributor

@nija-at nija-at left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks much better. See some comments below.

packages/@aws-cdk/aws-apigatewayv2/README.md Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/test/websocket/api.test.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-apigatewayv2/lib/websocket/api.ts
*
* @param identity The principal
*/
public grantManageConnections(identity: IGrantable): Grant {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding this method to IWebsocketApi. Then, this feature will be available to imported APIs as well.

This would mean creating a new base class and moving this implementation to it.

class WebsocketApiBase extends ApiBase {
  // ...
  public grantManageConnections(...) {
    // ...
  }
}

The same applies to Stage.

This is strictly not necessary for this PR if you prefer to not do this now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes I prefer to do this in another PR. I think we can create a new issue to support importing a webSocketApi and refactor them in a corresponding PR.

@mergify mergify bot dismissed nija-at’s stale review October 29, 2021 13:50

Pull request has been modified.

@tmokmss
Copy link
Contributor Author

tmokmss commented Oct 29, 2021

@nija-at ready for a new review again :)

nija-at
nija-at previously approved these changes Nov 5, 2021
View reviewed changes
@mergify
Copy link
Contributor

mergify bot commented Nov 5, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot dismissed nija-at’s stale review November 7, 2021 03:59

Pull request has been modified.

@mergify
Copy link
Contributor

mergify bot commented Nov 9, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 2a1c12a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 10dfa60 into aws:master Nov 9, 2021
@mergify
Copy link
Contributor

mergify bot commented Nov 9, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@tmokmss tmokmss deleted the add_websocket_grant_managementapi_acccess branch November 9, 2021 23:41
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this pull request Feb 21, 2022
@tmokmss @TikiTDO
feat(apigatewayv2): websocket api: grant manage connections (aws#16872)
5dc3931 
closes aws#14828

By this PR, we can allow access to management API by the following code.

```ts
    const api = new WebSocketApi(stack, 'Api');
    const defaultStage = new WebSocketStage(stack, 'Stage', {
      webSocketApi: api,
      stageName: 'dev',
    });
    const principal = new User(stack, 'User');

    api.grantManagementApiAccess(principal); // allow access to the management API for all the stage
    defaultStage.grantManagementApiAccess(principal); // allow access to the management API for a specific stage
```

We use WebSocket API Management API to send messages to a WebSocket API. [(doc)](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-how-to-call-websocket-api-connections.html) To use the API, we must set IAM statement as below [(doc)](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-control-access-iam.html):

```json
    {
      "Effect": "Allow",
      "Action": [
        "execute-api:ManageConnections"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:account-id:api-id/stage-name/POST/@connections/*"
      ]
    }
``` 

We need `/*` at the end of resource ARN because there will be arbitrary strings (`connectionId`).
i.e. `{apiArn}/{stageName}/POST/@connections/{connectionId}`

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nija-at nija-at nija-at approved these changes

Assignees

@nija-at nija-at

Labels
@aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(apigatewayv2): grant permissions for sending messages to a WebSocket
3 participants
@tmokmss @aws-cdk-automation @nija-at