Custom Authorizer ARN reference

I have a custom authorizer in AWS (a serverless project as well, inside the same AWS account and environment), I am trying to reference it in my serverless project as described in the documentation.

I am having trouble referencing the authorizer using ARN, can someone please show me an example of referencing a Lambda function using ARN.

Thank you in advance.

Here is a snippet of the documentation.
In the documentation https://serverless.com/framework/docs/providers/aws/events/apigateway/

"If the Authorizer function does not exist in your service but exists in AWS, you can provide the ARN of the Lambda function instead of the function name, as shown in the following example:

functions:
create:
handler: posts.create
events:
- http:
path: posts/create
method: post
authorizer: xxx:xxx:Lambda-Name
"

@pgali Do you know the ARN of your authorizer function? If you need to find it, you can navigate to your function in the AWS Lambda console. The ARN will be listed at the top – it will look something like arn:aws:lambda:us-east-1:786336611111:function:custom-authorizer.

To use it as the authorizer in your Serverless service, paste the ARN into your service:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: arn:aws:lambda:us-east-1:786336611111:function:custom-authorizer

Notice the last line has the example ARN from above.

Let me know if that helps!

1 Like

Hi @alexdebrie1,
Thank you for your answer.

That’s how I got it to work for now, but that wouldn’t work in an automated deployment environment. I want to be able to reference the ARN programatically and do not want to be tied up using static ARN names in serverless yaml file

@pgali That makes complete sense. There are a couple different ways to handle this.

First, you could manage the authorizer function in your serverless.yml file and refer to it directly. That would have syntax like this:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: authorizerFunc
  authorizerFunc:
    handler: handler.authorizerFunc

If you don’t want that, you could manage the Authorizer function in a different CloudFormation stack and have the Lambda ARN as an output. Then you could reference the ARN programmatically using the CloudFormation Output variable syntax:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: ${cf:myAuthorizerStack.authorizerArn}

If you don’t manage the authorizer in a stack, you could store the ARN in something like AWS Parameter Store and then refer to it in your serverless.yml using the SSM Parameter Store variable syntax:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: ${ssm:/myAuthorizerArn}

Do any of those work?

5 Likes

I am trying your second option. I am getting an error saying trying to access an non exported variable. Trying to look into it

Any chance you could help me with a working sample of exporting an ARN that can be referenced in another cloud stack? I used to be able to do that in the past, but having difficultly this time

Sure thing, @pgali.

Are you managing your authorizer Lambda function with Serverless? If so, go to that service directory and run sls info -v. In the output, it prints out a lot of information about your service. You need to look for two things: stack (in the Service Information section), and <FunctionName>LambdaFunctionQualifiedArn in the Stack Outputs section.

In your other Serverless service, you can refer to this using ${cf:<stack>.<LambdaOutputKey>}.

For example:

Service Information
service: test-service
stage: prod
region: us-west-2
stack: test-service-prod
api keys:
  None
functions:
  hello: test-service-prod-track

Stack Outputs
HelloLambdaFunctionQualifiedArn: arn:aws:lambda:us-west-2:111110002222:function:test-service-prod-hello:1
ServerlessDeploymentBucketName: test-service-prod-serverlessdeploymentbucket-8qhsgorht4bc

In this one, my stack is test-service-prod. The output key for my function is HelloLambdaFunctionQualifiedArn. So to refer to it in my other serverless.yml:

functions:
  create:
    handler: posts.create
    events:
      - http:
          path: posts/create
          method: post
          authorizer: ${cf:test-service-prod.HelloLambdaFunctionQualifiedArn}
2 Likes

Hi @alexdebrie1
Thank you, Thank you so much…You made my day.
Worked like a charm following your instructions.

1 Like

Awesome! Glad to hear that

authorizer: ${cf:test-service-prod.HelloLambdaFunctionQualifiedArn}

how can one have the env auto placed here so that it becomes

authorizer: ${cf:test-service-dev.HelloLambdaFunctionQualifiedArn}

or

authorizer: ${cf:test-service-prod.HelloLambdaFunctionQualifiedArn}

based on the stage ?

did you work out how to get the right stage automatically in the authroizer arn?

e.g. authorizer: ${cf:test-service-prod.HelloLambdaFunctionQualifiedArn}

vs

authorizer: ${cf:test-service-dev.HelloLambdaFunctionQualifiedArn} ?

had to do this in the end, which looks so nasty:

authorizor: arn:aws:lambda:${self:custom.region}::function:security-service-${self:custom.stage}-my-authorizer:

An interesting read, however, my authorizer is a Cognito user pool, I’ve already got one API Authorizer setup, so I’d like to refer to it in each of my endpoints (from multiple services).

Does anyone have any idea how to do that?

1 Like

I’m using ssm for that - it works pretty well but you have to want to use another service from AWS:

authorizer: ${ssm:/myAuthorizerArn}

I’m using the ${CF:…} format. But it seems like AWS add the version number of the lambda.

Check this post :

Do you have any solution for this issue ?

It is possible to x-reference a stack. The problem is the output CF parameter includes the version number of the authoriser in the arn, so you could use the yaml Join function to construct the arn given the you know the actual name of the lambda itself. The arn is in the form:

arn:aws:lambda:{region}:{account}:function:{stack}-{stage}-{lambda-name}

1 Like