Cannot reference an authorizer already created within services that shares the same API GW

[mpaleo]

This is a (Bug Report)

Description

• What went wrong?
  I have two services (e.g. Service-A and Service-B) that shares the same API Gateway. Service-A has some public/private endpoints and defines an API GW authorizer. This works fine.
  Service-B has some private endpoints that need to use the authorizer defined in Service-A. I tried to reference the authorizer by ARN with no success. I think the problem is that serverless tries to create another authorizer in the same API GW, and throws error because an authorizer with the same name already exists. The thing is that I dont want to create another API GW authorizer, I just want to reference an authorizer that belongs to the API GW.
  Output relevant to Service-A

{
    "AuthorizerApiGatewayAuthorizer":{
        "Type":"AWS::ApiGateway::Authorizer",
        "Properties":{
            "AuthorizerResultTtlInSeconds":0,
            "IdentitySource":"method.request.header.Authorization",
            "Name":"authorizer",
            "RestApiId":"XXXXXXXX",
            "AuthorizerUri":{
                "Fn::Join":[
                    "",
                    [
                        "arn:aws:apigateway:",
                        {
                            "Ref":"AWS::Region"
                        },
                        ":lambda:path/2015-03-31/functions/",
                        {
                            "Fn::GetAtt":[
                                "AuthorizerLambdaFunction",
                                "Arn"
                            ]
                        },
                        "/invocations"
                    ]
                ]
            },
            "Type":"TOKEN"
        }
    }
}

Output relevant to Service-B

{
    "AuthorizerApiGatewayAuthorizer":{
        "Type":"AWS::ApiGateway::Authorizer",
        "Properties":{
            "IdentitySource":"method.request.header.Authorization",
            "Name":"authorizer",
            "RestApiId":"XXXXXXXX",
            "AuthorizerUri":{
                "Fn::Join":[
                    "",
                    [
                        "arn:aws:apigateway:",
                        {
                            "Ref":"AWS::Region"
                        },
                        ":lambda:path/2015-03-31/functions/",
                        "MY_LAMBDA_FUNCTION_AUTHORIZER_ARN",
                        "/invocations"
                    ]
                ]
            },
            "Type":"TOKEN"
        }
    }
}

• What did you expect should have happened?
  Having Service-A and Service-B within the same API GW, I expect to be able to reference the authorizer already defined by Service-A.
• What was the config you used?
  I have tried this alternatives in Service-B

functions:
 some-function:
   handler: someHandler.someFunction
   events:
     - http:
         path: some/path
         method: get
         authorizer:
           arn: LAMBDA_ARN
           name: service-a-authorizer-name

functions:
 some-function:
   handler: someHandler.someFunction
   events:
     - http:
         path: some/path
         method: get
         authorizer: LAMBDA_ARN

• What stacktrace or error message from your provider did you see?
  An error occurred: AuthorizerApiGatewayAuthorizer - Authorizer name must be unique. Authorizer authorizer already exists in this RestApi..

Additional Data

• Serverless Framework Version you're using: 1.26
• Operating System: Linux (kernel 4.13.0-32-generic)
• Stack Trace:
• Provider Error messages:

[pfried]

This could be solved if it was possible to simply reference an Authorizer by its ID: (AWS::ApiGateway::Method -> AuthorizerId)

I cannot find a way to do that. Is there any plugin or something that does that? Because from a code perspective this should be relatively easy.

[idwright]

I hit the same problem - first thought was to use restApiResources but I couldn't (quickly) work out how to with an authorizer however if you give the authorizer in service B a name as well as an arn then it will at least deploy.
(For some reason when I do this it's not calling the authFunc and is returning a 401 but I haven't worked out why yet)
e.g.

      authorizer:
        name: serviceBAuthFunc
        arn: ${cf:service-a-${self:provider.stage}.AuthFunc}

[carlosvictor]

Same problem here.

Anyone with a solution ?

[ftrevo]

Same problem here too.

[lucaspitang]

I'm searching for any solution for this problem, anyone could give me some help?

[jacintoArias]

Has anybody tested this PR to solve this issue? #4197

I know it only references COGNITO_USER_POOLS but perhaps it might work as well with Custom authorizers...

[anelmu]

@jacintoArias I have tested #4197 with custom authorizer and works with multiple services.
Only needed to change type from COGNITO_USER_POOLS to CUSTOM.

[rohitshetty]

I hit the same problem, I just gave a name to my authorizer like @idwright Suggested, and it seems to be working. Anyone have any idea if this is the correct way (at least until a fix is released?) Or if we can have any caveats?

[rohitshetty]

Adding name, creates different authorizer in the api gateway for each lambda.
I am not sure if this is a good practice? Also Not sure if there is any upper limit on this. Please let me know.

[jackrk]

This is Jack from the API Gateway team. Please merge #4197 as a fix. This is painful for customers because there is a limit of 10 authorizers per RestApi, and they are forced to contact AWS to request a limit increase to unblock development. Thank you!

[HyperBrain]

@jackrk Hey Jack, thanks for the slight "push" and information 👍
I will check it and do a merge... maybe it can go straight into the 1.27.3 which will be available in the next few days.

[rohitshetty]

Thank you @jackrk and @HyperBrain I am one of the customers Jack mentioned above. I am glad to hear this will be available in 1.27.3! Thank you for your efforts.