'Override default auth in SAM templates and Open API

I have made a SAM template that deploys a mix of public and authenticated endpoints. The default auth is oauth. For public endpoints, I use overrides to make it auth NONE. This worked fine.

After I have added the OpenAPI for documentation. The auth override for public endpoints does not work anymore. What else should I do?

#sam-template.yaml
Resources:
  RestApi:
    Type: AWS::Serverless::Api
    Properties:
      Name: !Ref ApiStackName
      StageName: Prod
      Auth:
        AddDefaultAuthorizerToCorsPreflight: false
        DefaultAuthorizer: TokenAuthorizer
        Authorizers:
          TokenAuthorizer:
            FunctionArn: !GetAtt Authorizer.Arn
            Identity:
              Header: Authorization
              ValidationExpression: Bearer.*
              ReauthorizeEvery: 0
      DefinitionBody: // this is what I added.
        Fn::Transform:
          Name: AWS::Include
          Parameters:
            Location:
              Fn::Join:
                - ''
                - - 's3://'
                  - Ref: S3BucketName
                  - '/swagger.yaml'
  GetFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./functions
      FunctionName: !Sub ${Environment}-api-get
      Description: get 
      Handler: ./src/get.handler
      Role: !Sub arn:aws:iam::${AWS::AccountId}:role/pam-${Environment}-${AWS::Region}-get-lambda-role
      Events:
        Api:
          Type: Api
          Properties:
            RestApiId: !Ref RestApi
            Path: /p
            Method: GET
            Auth:
              Authorizer: NONE // this overrides the default auth
#swagger.yaml
  /p:
    get:
      summary: Get 
      description: Get 

      responses:
        200:
          description: "200 response"
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: "#/components/schemas/P"
        500:
          description: "500 response"
          content: {}
      x-amazon-apigateway-auth:
        type: "NONE"
      x-amazon-apigateway-integration:
        uri:
          Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetFunction.Arn}/invocations
        responses:
          default:
            statusCode: "200"
        passthroughBehavior: "when_no_match"
        httpMethod: "POST"
        contentHandling: "CONVERT_TO_TEXT"
        type: "aws_proxy"


Solution 1:[1]

you are looking for security in OpenAPI. This sets Authorization on ApiGateway endpoint to NONE.

/p:
  get:
    summary: Get 
    description: Get 
    responses:
      ...
    security:
      - {}
    x-amazon-apigateway-integration:
      ...

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 MenyT