Creating Lambda authorizer for HTTP API?

Is there a way to attach a custom lambda authorizer to HTTP API?

1 Like

You can setup it through the AWS console UI, or you can create your own authorizer function. Like:

serverless.yml

functions:
   hello:
     handler: handler.hello
     events:
     - http:
        path: hello
        method: get
        cors: true
        authorizer:
          type: TOKEN
          name: authorizerFun
          identitySource: method.request.header.Authorization
          resultTtlInSeconds: 0

authorizerFun:
  handler: authorizer.authorizerFun

authorizer.authorizerFun

const generatePolicy = (user, effect, resource) => {
   const authResponse = {
   principalId: user.id || 'anonymous'
 };

 if (effect && resource) {
   const policyDocument = {
     Version: '2012-10-17',
     Statement: [
       {
         Action: 'execute-api:Invoke',
         Effect: effect,
         Resource: resource
       }
     ]
   };

   authResponse.policyDocument = policyDocument;
 }

authResponse.context = {
  role: user.role
};
return authResponse; };

export const authorizerFun = (event, context) => {
 const authorizationToken = event.authorizationToken;

 console.log(authorizationToken);

 switch (authorizationToken) {
   case 'manager':
     context.succeed(generatePolicy({ id: 1, role: 'MANAGER' }, 'Allow', '*'));
     break;
   case 'tenant':
     context.succeed(generatePolicy({ id: 2, role: 'TENANT' }, 'Allow', '*'));
     break;
   default:
     context.fail('error');
 }
};
1 Like

Thanx @sgyyz for the reply :slightly_smiling_face:
The above is an implementation of how to attach a lambda authorizer for REST API but I haven’t found a way to attach a lambda authorizer for HTTP API through serverless.yml even though HTTP APIs support lambda authorizers.

2 Likes

I haven’t found a way to attach a lambda authorizer for HTTP API through serverless.yml even though HTTP APIs support lambda authorizers.

I can do this by hand but I can’t find a way to persuade sls to do this. What’s the correct yaml to achieve it?

I would also like to be able to this. I guess for now it will be a manual process?

Any updates here? Can’t find the way to attach lambda authorizer (not jwt) to the httpapi route. Weird situation, I can create authorizer/function/gateway but can’t link them to each other

Btw I managed to do this by creating separate AWS::ApiGatewayV2::Authorizer and AWS::ApiGatewayV2::Route + AWS::ApiGatewayV2::Integration for all api resources, it is working but would be great to have built-in functionality as for JWT authorizers

Hi NevRA,

Would you be willing to share the example CloudFormation yaml for that? I’ve been struggling to do the same thing.

Thanks!

  ApiGatewayAuthorizer:
    Type: AWS::ApiGatewayV2::Authorizer
    Properties:
      ApiId: <ID>
      Name: <NAME>
      AuthorizerType: REQUEST
      AuthorizerPayloadFormatVersion: "2.0"
      EnableSimpleResponses: true
      AuthorizerResultTtlInSeconds: 0
      AuthorizerUri:
        'Fn::Sub': >-
            arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${<NAME>.Arn}/invocations
      IdentitySource: 
        - $request.header.Host # dummy

  HttpApiRouteFunc:
    Type: AWS::ApiGatewayV2::Route
    Properties:
      AuthorizationType: CUSTOM
      AuthorizerId: !Ref ApiGatewayAuthorizer
      RouteKey: 'GET /someapi'
      ApiId: <ID>
      Target: !Join 
        - /
        - - integrations
          - !Ref HttpApiRouteFuncIntegration

  HttpApiRouteFuncIntegration:
    Type: "AWS::ApiGatewayV2::Integration"
    Properties:
      Description: Lambda Integration
      ConnectionType: INTERNET
      IntegrationUri: !Sub  "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${<NAME>.Arn}/invocations"
      PayloadFormatVersion: "2.0"
      ApiId: <ID>
      IntegrationType: AWS_PROXY
1 Like

Looks like there’s an outstanding issue for this on GH if anyone wants to follow progress.

1 Like