Over the last few weeks I have been working with a very ambitious client – , who is building a new murder mystery game. They are doing some really cool things technically, and are building an entirely serverless stack. Solve While working with Solve I have spent a lot of time with . That experience also helped inform my opinion about SAM, as I explained in this . Where compared with the it’s lacking the customizability that the serverless framework offers through its plugin system. AWS SAM article Serverless framework With the Serverless framework, I can write plugins to tailor the framework’s built-in behaviours. This gets me out of jail whenever I disagree with the framework’s choices. However, I don’t have such a luxury with SAM. Just today, I ran into a problem with SAM’s authorizer in API Gateway. The built-in behaviour is such that, anytime I choose to use AWS_IAM as the authorizer it’ll default the to . Even if I explicitly set InvokeRole to null. support for AWS_IAM InvokeRole CALLER_CREDENTIALS This means the caller’s IAM role would be used to invoke the Lambda function. So, to call my IAM-protected endpoint, I need to sign the request with an IAM profile with the permissions to: against the API Gateway resource execute-api:Invoke against the Lambda function sitting behind API Gateway and lambda:InvokeFunction That completely breaks the abstraction layer! As a caller, I not only need to know the endpoint I wish to talk to, but also how it’s implemented under the hood. If the API maintainer renames the functions behind the endpoint, my code would suddenly break. If this issue also impacts you, then keep an eye on . this Github issue Since SAM doesn’t have a plugin system, I would have to wait for the SAM team to fix the problem. Or, do I? Since SAM is ultimately just CloudFormation with a magical macro called . I can modify the CloudFormation template it transformed with my own macros. AWS::Serverless-2016–10–31 In this case, we were able to get ourselves out of jail by writing a CloudFormation macro to: look for CloudFormation resources AWS::ApiGateway::RestApi iteratively remove any fields from integrations credentials AWS_PROXY With this macro, we were able to unblock ourselves. Admittedly, using CloudFormation macros is a rather heavy-handed approach to customize SAM’s behaviour! However, in the absence of a built-in mechanism for customizing SAM, it was the best bad idea we were able to come up with. Please let us know in the comments if you know of a simpler, more elegant solution! Hi, my name is . I’m an and the author of . I have run production workload at scale in AWS for nearly 10 years and I have been an architect or principal engineer with a variety of industries ranging from banking, e-commerce, sports streaming to mobile gaming. I currently work as an independent consultant focused on AWS and serverless. Yan Cui AWS Serverless Hero Production-Ready Serverless You can contact me via , and . Email Twitter LinkedIn Check out my new course, . Complete Guide to AWS Step Functions In this course, we’ll cover everything you need to know to use AWS Step Functions service effectively. Including basic concepts, HTTP and event triggers, activities, design patterns and best practices. Get your copy . here Come learn about operational for AWS Lambda: CI/CD, testing & debugging functions locally, logging, monitoring, distributed tracing, canary deployments, config management, authentication & authorization, VPC, security, error handling, and more. BEST PRACTICES You can also get off the face price with the code . 40% ytcui Get your copy . here Originally published at https://theburningmonk.com on June 29, 2019.

AWS SAM + Cloudformation macros, a patch made in heaven

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

A simple Event-Sourcing Example Using Lambda and DynamoDB [Includes Snapshots]

Ask Your Logs Anything: Building a Conversational Interface with AWS Lambda and Bedrock

Goodbye Manual Monitoring: How AIOps Spots Problems Before You Do

The Day the Cloud Cracked: AWS Outage Exposes Fragility of Centralized Internet

Projects to Programs: A Client-Partner Playbook for AI, Cloud & Data That Actually Moves the needle

A simple Event-Sourcing Example Using Lambda and DynamoDB [Includes Snapshots]

Ask Your Logs Anything: Building a Conversational Interface with AWS Lambda and Bedrock

Goodbye Manual Monitoring: How AIOps Spots Problems Before You Do

The Day the Cloud Cracked: AWS Outage Exposes Fragility of Centralized Internet

Projects to Programs: A Client-Partner Playbook for AI, Cloud & Data That Actually Moves the needle

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps