Skip to content

/ chalice

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling Private API gateway resource policy as long with lambda policy when using chalice deploy #1225

Open
spicoflorin opened this issue Aug 29, 2019 · 1 comment
Open

Handling Private API gateway resource policy as long with lambda policy when using chalice deploy #1225

spicoflorin opened this issue Aug 29, 2019 · 1 comment
Labels
documentation

Comments

@spicoflorin
Copy link

@spicoflorin spicoflorin commented Aug 29, 2019
edited

Hello!

I have updated to the new chalice release 1.11.0. I have seen that there are two tickets related with my request:
#976
#897

I would like to handle both lambda and API gateway Resource policy in the same file.

When I ran the

chalice deploy --no-autogen-policy

I bumped in:
chalice.deploy.deployer.ChaliceDeploymentError: ERROR - While deploying your chalice application, received the following error:
An error occurred (MalformedPolicyDocument) when calling the PutRolePolicy
operation: Policy document should not specify a principal.

Therefore, my questions are:

  1. How to properly distinguish in policy.json bewteen the lambda policy statements and API Gateway Resource policy statements?

  2. Can you please provide a working example where you can set up both the API Gateway resource policy as PRIVATE with a VPC/VPC endpoint and lambda policies?

  3. In my policy.json file the part related with vpcendpoint should be deployed to API Gateway Resource policy. How to to cope that in the policy.json?

Thank you.

Below are my configurations for config.json and policy-dev.json :
config.json

{
  "version": "2.0",
  "app_name": "florin-priv-policy",
  "stages": {
    "dev": {
      "api_gateway_stage": "api",
     "api_gateway_endpoint_type": "PRIVATE",
     "api_gateway_policy_file": "policy-dev.json"
     
    }
  }
}

policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeNetworkInterfaces"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:*"
      ]
    },
     {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:*:*:*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpce": "vpce-"
                }
            }
        }
  ]
}
@kyleknap
Copy link
Member

@kyleknap kyleknap commented Sep 4, 2019

Thanks for all of the information. First just answering your questions:

How to properly distinguish in policy.json bewteen the lambda policy statements and API Gateway Resource policy statements?

These need to be separate JSON files in the .chalice directory. You cannot combine the policies into one document nor use one the Gateway Resource policy for the lambda permissions and vice versa.

Can you please provide a working example where you can set up both the API Gateway resource policy as PRIVATE with a VPC/VPC endpoint and lambda policies?

I think that makes a lot of sense to add in the docs. In the meantime, something like this should work:

app.py

from chalice import Chalice

app = Chalice(app_name='private')

@app.route('/')
def index():
    return {'hello': 'world'}

.chalice/config.json

{
  "version": "2.0",
  "app_name": "private",
  "api_gateway_endpoint_type": "PRIVATE",
  "api_gateway_policy_file": "custom_policy.json",
  "stages": {
    "dev": {
      "api_gateway_stage": "api"
    }
  }
}

.chalice/custom_policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:*:*:*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpce": "vpce-0a06670cbb04c3863"
                }
            }
        }
    ]
}

And from there if you have a policy.json file, it would be scoped to what actions the the lambda function can perform.

In my policy.json file the part related with vpcendpoint should be deployed to API Gateway
Resource policy. How to to cope that in the policy.json?

You would not include it in the policy.json. They should be two separate documents.

I hope this helps. We should definitely add more documentation on how to setup private endpoints.
@spicoflorin spicoflorin changed the title Handling Private API gateway resource policy as long with lambda policy when usinh chalice deploy Handling Private API gateway resource policy as long with lambda policy when using chalice deploy Nov 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@kyleknap @spicoflorin
You can’t perform that action at this time.