Is there a way to attach a custom lambda authorizer to HTTP API?
You can setup it through the AWS console UI, or you can create your own authorizer function. Like:
serverless.yml
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: get
cors: true
authorizer:
type: TOKEN
name: authorizerFun
identitySource: method.request.header.Authorization
resultTtlInSeconds: 0
authorizerFun:
handler: authorizer.authorizerFun
authorizer.authorizerFun
const generatePolicy = (user, effect, resource) => {
const authResponse = {
principalId: user.id || 'anonymous'
};
if (effect && resource) {
const policyDocument = {
Version: '2012-10-17',
Statement: [
{
Action: 'execute-api:Invoke',
Effect: effect,
Resource: resource
}
]
};
authResponse.policyDocument = policyDocument;
}
authResponse.context = {
role: user.role
};
return authResponse; };
export const authorizerFun = (event, context) => {
const authorizationToken = event.authorizationToken;
console.log(authorizationToken);
switch (authorizationToken) {
case 'manager':
context.succeed(generatePolicy({ id: 1, role: 'MANAGER' }, 'Allow', '*'));
break;
case 'tenant':
context.succeed(generatePolicy({ id: 2, role: 'TENANT' }, 'Allow', '*'));
break;
default:
context.fail('error');
}
};
Thanx @sgyyz for the reply
The above is an implementation of how to attach a lambda authorizer for REST API but I haven’t found a way to attach a lambda authorizer for HTTP API through serverless.yml even though HTTP APIs support lambda authorizers.
I haven’t found a way to attach a lambda authorizer for HTTP API through serverless.yml even though HTTP APIs support lambda authorizers.
I can do this by hand but I can’t find a way to persuade sls to do this. What’s the correct yaml to achieve it?
I would also like to be able to this. I guess for now it will be a manual process?
Any updates here? Can’t find the way to attach lambda authorizer (not jwt) to the httpapi route. Weird situation, I can create authorizer/function/gateway but can’t link them to each other
Btw I managed to do this by creating separate AWS::ApiGatewayV2::Authorizer and AWS::ApiGatewayV2::Route + AWS::ApiGatewayV2::Integration for all api resources, it is working but would be great to have built-in functionality as for JWT authorizers
Hi NevRA,
Would you be willing to share the example CloudFormation yaml for that? I’ve been struggling to do the same thing.
Thanks!
ApiGatewayAuthorizer:
Type: AWS::ApiGatewayV2::Authorizer
Properties:
ApiId: <ID>
Name: <NAME>
AuthorizerType: REQUEST
AuthorizerPayloadFormatVersion: "2.0"
EnableSimpleResponses: true
AuthorizerResultTtlInSeconds: 0
AuthorizerUri:
'Fn::Sub': >-
arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${<NAME>.Arn}/invocations
IdentitySource:
- $request.header.Host # dummy
HttpApiRouteFunc:
Type: AWS::ApiGatewayV2::Route
Properties:
AuthorizationType: CUSTOM
AuthorizerId: !Ref ApiGatewayAuthorizer
RouteKey: 'GET /someapi'
ApiId: <ID>
Target: !Join
- /
- - integrations
- !Ref HttpApiRouteFuncIntegration
HttpApiRouteFuncIntegration:
Type: "AWS::ApiGatewayV2::Integration"
Properties:
Description: Lambda Integration
ConnectionType: INTERNET
IntegrationUri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${<NAME>.Arn}/invocations"
PayloadFormatVersion: "2.0"
ApiId: <ID>
IntegrationType: AWS_PROXY
Looks like there’s an outstanding issue for this on GH if anyone wants to follow progress.