We Keep Coding

How to add lambda invoke role in custom authorizer of api gateway using serverless framework

I would like to add Lambda invoke role in custom authorizer for an api gateway using serverless framework.
events:
- http:
path: controls
method: GET
cors: ${self:custom.lambdaCORS}
authorizer:
arn: arn:aws:lambda:us-east-1:XYZ:function:SLS-XYZ
managedExternally: true
identitySource: method.request.header.x-api-key
resultTtlInSeconds: 0
type: request
Can someone help me in finding the property under authorizer to add "Lambda invoke role". I was able to do it manually from aws console. I am trying to access authorizer defined in other region. It seems API gateway needs a permission to invoke lambda authorizer in another region.

So the solution I was able to come up with was to add a specific permission to the generate API Gateway Cloudformation template.
The AWS docs outline what the Cloudformation template should look like to add a permission for API Gateway to access a lambda:
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-rest-api-lambda-integrations/#To_add_Lambda_invoke_permission_to_a_REST_API_with_a_Lambda_integration_using_a_CloudFormation_template
So if you adapt that and add this block to the bottom of your serverless.yaml you should be able to access the Authorizer referenced by the FunctionName field!
resources:
Resources:
InvokeAuthorizerPermission:
Type: AWS::Lambda::Permission
Properties:
Action: "lambda:InvokeFunction"
FunctionName: ARN_OF_AUTHORIZER
Principal: "apigateway.amazonaws.com"
SourceArn: "arn:aws:execute-api:${aws:region}:${aws:accountId}:*/*/*/*"
Hope this helps another lost soul and I smashed my head up against this for a good long while!

Azure Pipelines Yml Template in Public GitHub Repo

I have a public GitHub repo with some Azure Pipelines yml template files. I want to create a pipeline that uses these templates. I don't want to use an OAuth based service connection, because the whole concept of an OAuth Service Connection is simply ridiculous for a CI/CD environment since the tokens expire and need to be tied to a specific user. I also don't want to use a GitHub PAT because it seems ridiculous to have a PAT (again tied to a specific user) to access a public GitHub repo.
How can I create my pipeline so it is not tied to a specific user?
I would like to have something like this
resources:
repositories:
- repository: templates
type: github
name: APublicGitHubOrg/APublicGitHubRepo
ref: ref/heads/master
extends:
template: TheTemplate.yml
but that doesn't work because endpoint is a required property.
Ok...so how can I create an endpoint for GitHub without tying it to a user or having an expiration?

Unfortunately, Repository templates requires an endpoint, and GitHub repos require a GitHub service connection for authorization, which requires either Grant authorization or Personal access token.
If you really want to this feature, please submit a suggestion at website below, product team will evaluate it carefully:
https://developercommunity.visualstudio.com/content/idea/post.html?space=21

Unable to define runtime parameters with secret in azure YAML

I am trying to create a secret runtime parameter as described in GitHub. But getting the below error.
Encountered error(s) while parsing pipeline YAML:
/azure-pipelines.yml (Line: 12, Col: 3): Unexpected value 'secret'
Code:
parameters:
- name: app
type: string
values:
- App1
- App2
- name: mySecret
type: string
secret: true
I have raised the same in
Developer Community portal as well. Please let me know if there is any way possible.

Unable to define runtime parameters with secret in azure YAML
Indeed, I could also reproduced this issue on my side. That because that document is a Design Docs.
You could check the state of that doc:
The design docs within this repo are created at different times during
the development of Azure Pipelines, to support collaborative
contributions to the design process. Designs documents are for,
features considered for implementation but never implemented
already implemented features
future ideas for features
The design docs in this repo may not represent the current state of an Azure Pipelines feature.
Obviously, this is a function that has not yet been implemented. That the reason why you get that error. You can expect it to come, I believe it will meet us soon.
Hope this helps.

API: sqs:CreateQueue always ACCESS DENIED

I'm trying to create an sqs queue with cloudformation but I keep getting this error in the console.
API: sqs:CreateQueue Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.
Obviously I'm missing some sort of permission. This guide didn't really specify how I could resolve this.
Here's the code I made:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyQueue:
Type: AWS::SQS::Queue
Properties:
FifoQueue: false
QueueName: sqs-test
ReceiveMessageWaitTimeSeconds: 20
RedrivePolicy:
deadLetterTargetArn:
Fn::GetAtt:
- "MyDLQ"
- "Arn"
maxReceiveCount: 4
Tags:
-
Key: "ProjectName"
Value: "project-x"
MyDLQ:
Type: AWS::SQS::Queue
Properties:
FifoQueue: false
QueueName: sqs-dlq-test
I'm trying to understand this doc. But I'm not sure how I could attach a policy to allow creation of queues. Someone please give me a full example.

tyron's comment on your question is spot on. Check permissions of the user executing the CloudFormation. If you're running commands directly, this is usually pretty easy to check. In some cases, you may be working with a more complicated environment with automation.
I find the best way to troubleshoot permissions in an automated world is via CloudTrail. After any API call has failed, whether from the CLI, CloudFormation, or another source, you can look up the call in CloudTrail.
In this case, searching for "Event Name" = "CreateQueue" in the time range of the failure will turn up a result with details like the following:
Source IP Address; this field may say something like cloudformation.amazonaws.com, or the IP of your machine/office. Helpful when you need to filter events based on the source.
User name; In my case, this was the EC2 instance ID of the agent running the CFN template.
Access Key ID; For EC2 instances, this is likely a set of temporary access credentials, but for a real user, it will show you what key was used.
Actual event data; Especially helpful for non-permissions errors, the actual event may show you errors in the request itself.
In my case, the specific EC2 instance that ran automation was out of date and needed to be updated to use the correct IAM Role/Instance Profile. CloudTrail helped me track that down.

If you are using AWS CodePipeline (where you may be using AWS CodeBuild to run & deploy your CloudFormation stack), remember your CodeBuild role (created under IAM Roles) must have the correct permissions.
You can identify which role is being used & attach required policies -
Open CodeBuild Project
Go to Build Details > Environment > Service Role
Open Service Role (hyperlinked)
Add SQS to role policies

How to get the auto generated RestApi from my AWS SAM template? To use in another SAM template

I used AWS SAM to generate my Lambda/APIs. But I want to be able to get this RestApi so I can use it in another SAM template.
The idea is to have 1 base infra CloudFormation/SAM template that creates the network, ALB, API Gateway things
Then each "micro-service" will have its own SAM template and it will create API endpoints referencing this "root" RestApi by specifying the RestApiId attribute
Is this a correct approach? Wonder if when I deploy each service, will it remove the APIs for the other services?

You can access default auto generated RestApi as ServerlessRestApi. This is logical resource id for auto generated RestApi resource.
ServerlessRestApi access example in template.yaml is as follows.
Outputs:
ApiRootURL:
Description: API Root URL
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/${ServerlessRestApi.Stage}"
You can see ServerlessRestApi in the resource list of you CloudFormation stack. ServerlessRestApi is not documented, so it might be changed in the future version.