Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(apigatewayv2): grantManagementApiAccess only grants "POST" #18410

Closed
tylerzey opened this issue Jan 13, 2022 · 2 comments · Fixed by #18544
Closed

(apigatewayv2): grantManagementApiAccess only grants "POST" #18410

tylerzey opened this issue Jan 13, 2022 · 2 comments · Fixed by #18544
Assignees
@otaviomacedo
Labels
@aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 bug This issue is a bug. p2

Comments

@tylerzey
Copy link

What is the problem?

The grantManagementApiAccess function on the WebSocketApi (or WebSocketStage), creates the following iAM permission:
arn:aws:execute-api:us-east-1:account-id:api-id/stage-name/POST/@connections/*.

This denies the iAM user "DELETE" permissions on the WebSocketApi. Example iAM denied error:

User: arn:aws:sts::****:assumed-role/***/*** is not authorized to perform: execute-api:ManageConnections on resource: arn:aws:execute-api:us-east-1:****:****/stage/DELETE/@connections/{connectionId}"

I believe the naming of the grantManagementApiAccess function implies that DELETE should be allowed. If not, perhaps there should another iAM granting method to prevent from the user from having to write a custom iAM policy.

Reproduction Steps

const lambdaGraphQLFunction = aws_lambda.Function
const webSocketApi = new WebSocketApi();

webSocketStage.grantManagementApiAccess(lambdaGraphQLFunction)

    {
      "Effect": "Allow",
      "Action": [
        "execute-api:ManageConnections"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:account-id:api-id/stage-name/POST/@connections/*"
      ]
    }

What did you expect to happen?

I expected grantManagementApiAccess to grant the "DELETE" permission for the WebSocketApi.

What actually happened?

The grantManagementApiAccess function only granted the "POST" operation.

CDK CLI Version

2.1.0

Framework Version

2.3.0-alpha.0

Node.js Version

14

OS

MacOS

Language

Typescript

Language Version

No response

Other information

No response
@tylerzey tylerzey added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 13, 2022
@github-actions github-actions bot added the @aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 label Jan 13, 2022
@ryparker ryparker added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jan 13, 2022
@leestkly
Copy link
Contributor

Since GET is also available on the @connections API to get the status of the connection, should the resource pattern also allow that method?

Seems like the pattern for a stage should look like arn:aws:execute-api:us-east-1:account-id:api-id/stage-name/*/@connections/*, and the pattern for the whole API should be arn:aws:execute-api:us-east-1:account-id:api-id/*/*/@connections/*.

Do you agree?

@leestkly leestkly mentioned this issue Jan 19, 2022
Merged
@mergify mergify bot closed this as completed in #18544 Jan 21, 2022
mergify bot pushed a commit that referenced this issue Jan 21, 2022
@leestkly
fix(apigatewayv2): websocket api: allow all methods in grant manage c…
41c8a3f 
…onnections (#18544)

Current code only grants POST method, but GET and DELETE methods are also needed for full connection management.

closes #18410


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

LukvonStrom pushed a commit to LukvonStrom/aws-cdk that referenced this issue Jan 26, 2022
@leestkly @LukvonStrom
fix(apigatewayv2): websocket api: allow all methods in grant manage c…
b3bc3be 
…onnections (aws#18544)

Current code only grants POST method, but GET and DELETE methods are also needed for full connection management.

closes aws#18410


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@leestkly @TikiTDO
fix(apigatewayv2): websocket api: allow all methods in grant manage c…
ba893cf 
…onnections (aws#18544)

Current code only grants POST method, but GET and DELETE methods are also needed for full connection management.

closes aws#18410


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@otaviomacedo otaviomacedo

Labels
@aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 bug This issue is a bug. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(apigatewayv2): websocket api: allow all methods in grant manage connections
4 participants
@otaviomacedo @ryparker @tylerzey @leestkly