How to create a Custom Authorizer in AWS lambda that takes into account the Base Path Mapping from a Custom Domain Name in API Gateway?

Seems like the authorizer doesn’t receive any info related to the base path. Even if you pass it in the context, there seems to be no way to add it to the policy.


current policy statements:

[{ Action: ‘execute-api:Invoke’, Effect: ‘Allow’, Resource: ‘arn:aws:execute-api:us-east-1:accountID:apiID/dev/GET/resource/resourceID’ }]

Hi @leeeomaaax ,
I am not 100% sure but I highly doubt that this is possible since even if you mapped it to a custom domain (incl. defining a base path), APIGW doesn’t really care about it i.e. the endpoints are still available through the domain.

So I think the best you can do is to handle this in your authorizer; e.g. allow always for case a) and actually check for case b) if this is what you want to do. In any case I’d stick withe serverless’ default approach (authorizer: authFn ... authFn: ... handler: ...)

@bbilger, thank you very much for replying

I’m not sure I understood you recommendation.

basepath1 and basepath2 are actually two different services, they do completely different things on the same resource.

How would I check for case b in my authorizer, since I can’t add more elements to the policy statement?

My solution for now is duplicating the declaration of functions on the serverless.yml and putting the base path in it:
serverlessServiceAsBasePath would be the base path
/formerBasePath1/resource/resourceID is now in a duplicated function declaration in .yml

Hi @leeeomaaax ,
Hmmm, I am confused and probably I am totally missing the point, here but if those are two different services how is the base path relevant, then at all?

You can “easily” register an authorizer per endpoint (see serverless.yml below).

If the question is about the policy and the value for “Resource”: the resource is passed as methodArn to your custom authorizer handler and so you can generate the policy accordingly. See first example here:

If this still doesn’t answer your question: when you say “base path”, do you mean the base path you defined on the custom domain, or the path of the endpoint (regardless of your custom domain)?

serverless.yml - custom authorizer

    handler: eventHandlerA
      - http:
          path: apia/public
          method: get
      - http:
          path: apia/private
          method: get
          authorizer: authFnA
    handler: eventHandlerB
      - http:
          path: apib/public
          method: get
      - http:
          path: apib/private
          method: get
          authorizer: authFnB
      - http:
          path: apib/private/whatever
          method: get
          authorizer: authFnC
    handler: authHandlerA
    handler: authHandlerB
    handler: authHandlerC