(apigatewayv2): grant permissions for sending messages to a WebSocket

[adam-nielsen]

I have a Lambda function and I want it to be able to post messages to a WebSocket. There doesn't seem to be a websocket.grantPost(lambda.role) or equivalent like there is for other resources like S3 buckets, so my Lambda always fails with 403 Forbidden when I try to send messages to the WebSocket.

Use Case

I have a Lambda that is invoked via other means not related to the WebSocket, but I want to grant it permission to send messages to clients connected to the WebSocket.

Proposed Solution

Add a grantPost() or similar function to the WebSocketApi class, to provide functionality equivalent to S3.Bucket.grantPut(), DynamoDB.Table.grantReadWriteData(), etc. but for granting permission to post messages to WebSockets.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[nija-at]

@adam-nielsen - what exact permissions would such a method add to the Principal?
It would be useful if you can describe or point to documentation.

[adam-nielsen]

@nija-at Thanks for your quick response! It looks like the permissions are described here:

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-control-access-iam.html

If I grant this permission then my Lambda function is able to send messages to the WebSocket:

const cdkApiGateway = require('@aws-cdk/aws-apigatewayv2');
const webSocketApi = new cdkApiGateway.WebSocketApi(this, ...);
const webSocketStage = new cdkApiGateway.WebSocketStage(this, 'ws-stage', { webSocketApi });

myLambda.addToRolePolicy(new cdkIAM.PolicyStatement({
	resources: [
		`arn:aws:execute-api:*:*:${webSocketApi.apiId}/${webSocketStage.stageName}/*/*`
	],
	actions: [
		'execute-api:ManageConnections',
	],
}));

Since the API ID is randomly generated, it needs to retrieve the API ID from the WebSocketApi instance as it will change each time the stack is deployed to a new environment. It also uses the stage name from the WebSocketStage instance just for the sake of granting the minimum permissions required. I believe you can access the WebSocketApi object from within WebSocketStage, so presumably something like WebSocketStage.grantPostToConnection(Role) would have access to the needed information.

This permission is required in order to send a PostToConnectionCommand from @aws-sdk/client-apigatewaymanagementapi.

You can also test the permission from the command line with:

aws apigatewaymanagementapi post-to-connection --connection-id 12345 --data "Test" --endpoint-url https://<api-id>.execute-api.ap-southeast-2.amazonaws.com/<stage>

You should get back a 'Gone' or 'NotFound' error (since the connection ID is invalid) however without the above permission you will get an Access Denied error instead.

[nija-at]

Awesome. Thanks for all the details @adam-nielsen.

I'm marking this issue as a p2 since you have a workaround for this, and shouldn't be blocking anyone. We are unable to work on p2 issues at the moment and this will be filed into our backlog.

We're accepting pull requests if you or anyone else is interested in implementing this.

[douglasnaphas]

I'm working on a PR to implement this feature.