Custom Authorizer ARN reference

pgali · November 5, 2017, 8:30pm

I have a custom authorizer in AWS (a serverless project as well, inside the same AWS account and environment), I am trying to reference it in my serverless project as described in the documentation.

I am having trouble referencing the authorizer using ARN, can someone please show me an example of referencing a Lambda function using ARN.

Thank you in advance.

Here is a snippet of the documentation.
In the documentation https://serverless.com/framework/docs/providers/aws/events/apigateway/

"If the Authorizer function does not exist in your service but exists in AWS, you can provide the ARN of the Lambda function instead of the function name, as shown in the following example:

functions:
create:
handler: posts.create
events:
- http:
path: posts/create
method: post
authorizer: xxx:xxx:Lambda-Name
"

alexdebrie1 · November 5, 2017, 8:59pm

@pgali Do you know the ARN of your authorizer function? If you need to find it, you can navigate to your function in the AWS Lambda console. The ARN will be listed at the top – it will look something like arn:aws:lambda:us-east-1:786336611111:function:custom-authorizer.

To use it as the authorizer in your Serverless service, paste the ARN into your service:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: arn:aws:lambda:us-east-1:786336611111:function:custom-authorizer

Notice the last line has the example ARN from above.

Let me know if that helps!

pgali · November 5, 2017, 9:01pm

Hi @alexdebrie1,
Thank you for your answer.

That’s how I got it to work for now, but that wouldn’t work in an automated deployment environment. I want to be able to reference the ARN programatically and do not want to be tied up using static ARN names in serverless yaml file

alexdebrie1 · November 5, 2017, 9:24pm

@pgali That makes complete sense. There are a couple different ways to handle this.

First, you could manage the authorizer function in your serverless.yml file and refer to it directly. That would have syntax like this:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: authorizerFunc
  authorizerFunc:
    handler: handler.authorizerFunc

If you don’t want that, you could manage the Authorizer function in a different CloudFormation stack and have the Lambda ARN as an output. Then you could reference the ARN programmatically using the CloudFormation Output variable syntax:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: ${cf:myAuthorizerStack.authorizerArn}

If you don’t manage the authorizer in a stack, you could store the ARN in something like AWS Parameter Store and then refer to it in your serverless.yml using the SSM Parameter Store variable syntax:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: ${ssm:/myAuthorizerArn}

Do any of those work?

pgali · November 5, 2017, 9:40pm

I am trying your second option. I am getting an error saying trying to access an non exported variable. Trying to look into it

pgali · November 5, 2017, 9:50pm

Any chance you could help me with a working sample of exporting an ARN that can be referenced in another cloud stack? I used to be able to do that in the past, but having difficultly this time

alexdebrie1 · November 6, 2017, 12:35am

Sure thing, @pgali.

Are you managing your authorizer Lambda function with Serverless? If so, go to that service directory and run sls info -v. In the output, it prints out a lot of information about your service. You need to look for two things: stack (in the Service Information section), and <FunctionName>LambdaFunctionQualifiedArn in the Stack Outputs section.

In your other Serverless service, you can refer to this using ${cf:<stack>.<LambdaOutputKey>}.

For example:

Service Information
service: test-service
stage: prod
region: us-west-2
stack: test-service-prod
api keys:
  None
functions:
  hello: test-service-prod-track

Stack Outputs
HelloLambdaFunctionQualifiedArn: arn:aws:lambda:us-west-2:111110002222:function:test-service-prod-hello:1
ServerlessDeploymentBucketName: test-service-prod-serverlessdeploymentbucket-8qhsgorht4bc

In this one, my stack is test-service-prod. The output key for my function is HelloLambdaFunctionQualifiedArn. So to refer to it in my other serverless.yml:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: ${cf:test-service-prod.HelloLambdaFunctionQualifiedArn}

pgali · November 6, 2017, 3:01am

Hi @alexdebrie1
Thank you, Thank you so much…You made my day.
Worked like a charm following your instructions.

alexdebrie1 · November 6, 2017, 3:19am

Awesome! Glad to hear that

walshe · February 7, 2018, 9:59pm

authorizer: ${cf:test-service-prod.HelloLambdaFunctionQualifiedArn}

how can one have the env auto placed here so that it becomes

authorizer: ${cf:test-service-dev.HelloLambdaFunctionQualifiedArn}

or

authorizer: ${cf:test-service-prod.HelloLambdaFunctionQualifiedArn}

based on the stage ?

walshe · February 14, 2018, 6:54pm

did you work out how to get the right stage automatically in the authroizer arn?

e.g. authorizer: ${cf:test-service-prod.HelloLambdaFunctionQualifiedArn}

vs

authorizer: ${cf:test-service-dev.HelloLambdaFunctionQualifiedArn} ?

walshe · February 14, 2018, 7:10pm

had to do this in the end, which looks so nasty:

authorizor: arn:aws:lambda:${self:custom.region}::function:security-service-${self:custom.stage}-my-authorizer:

pete · March 14, 2018, 8:54pm

An interesting read, however, my authorizer is a Cognito user pool, I’ve already got one API Authorizer setup, so I’d like to refer to it in each of my endpoints (from multiple services).

Does anyone have any idea how to do that?

igorkosta · August 31, 2018, 2:23pm

I’m using ssm for that - it works pretty well but you have to want to use another service from AWS:

authorizer: ${ssm:/myAuthorizerArn}

emax77 · May 21, 2019, 3:29am

I’m using the ${CF:…} format. But it seems like AWS add the version number of the lambda.

Check this post :

Do you have any solution for this issue ?

art-alscient · October 10, 2019, 7:28am

It is possible to x-reference a stack. The problem is the output CF parameter includes the version number of the authoriser in the arn, so you could use the yaml Join function to construct the arn given the you know the actual name of the lambda itself. The arn is in the form:

arn:aws:lambda:{region}:{account}:function:{stack}-{stage}-{lambda-name}

Topic		Replies	Views
API GW Custom Authorizer Serverless Framework lambda , api-gateway	2	2935	May 28, 2019
Cross stack reference for Custom Lambda Authorizer Serverless Framework aws , lambda , api-gateway	2	980	October 21, 2020
Custom Authorizer Serverless Framework aws	1	887	April 10, 2018
How to define custom authorizer ARN once in config Serverless Framework	2	1430	October 14, 2016
Pre-existing function for api gateway event? Serverless Framework aws , lambda , api-gateway	1	727	September 14, 2021

Custom Authorizer ARN reference

Related topics