Set header value for proxied request programatically

Serverless Framework
,
1

I’m using an API Gateway endpoint as a proxy to a 3rd party service.

Given I authenticate to the proxy endpoint using the value in the Authorization header

When the proxy makes the request to the 3rd party

Then it should be using the 3rd party api-key (pulled from SSM) as the value in the forwarded Authorization header

But the request to the 3rd party is using the original request Authorization header value

The function definition in my serverless.yml:

functions:
  3rd_party_proxy_v1:
    handler: handler.hello
    events:
      - http:
          path: /v1/{proxy+}
          method: ANY
          integration: HTTP_PROXY
          authorizer: ${self:custom.authorizer_arn}
          cors: true
          request:
            uri: ${self:custom.3rd_party_base_url}/api/v1/{proxy}
            parameters:
              paths:
                proxy: true
              querystrings:
                data: true
              headers:
                Authorization: "'SSWS ${ssm:3RD_PARTY_API_KEY~true}'"

When I test this functionality via the console it works as expected, using the value pulled from SSM.

However, when I test it by hitting the api gateway directly it just passes through the auth header value.

The only way I can get it to work is by manually setting the header value via the console but I’d like to have this happen programmatically, can serverless support this?

2

I couldn’t find a solution using HTTP_PROXY so I had to switch to using a LAMBDA_PROXY. I will update here if I find an HTTP_PROXY solution.

3

I’ve found an approach to being able to use the serverless framework and be able to hard code integration request header values and utilise HTTP_PROXY instead of maintaining a LAMBDA_PROXY.

I had to write an intermediary python script to programmatically edit the Cloudformation that the serverless tool creates.

Deployment steps as follows:

  1. Use the yml fucntion configuration defined in the original post.
  2. Create a package, sls package --package <YOUR_PACKAGE_NAME> --stage <STAGE>
  3. Run the python script to change the integration.request.header.Authorization value in the <YOUR_PACKAGE_NAME>/cloudformation-template-update-stack.json and <YOUR_PACKAGE_NAME>/serverless-state.json files
  4. Deploy the package sls deploy --package <YOUR_PACKAGE_NAME> --stage <STAGE>

I bundled these commands together in a Makefile so I could call a single command for packaging, updating and deploying:

make deploy-<STAGE>

4

Have you tried to override cloudformation template directly from serverless.yml?

Then you can override request integration header sending third-party authorization token instead of AWS Apigateway token.

resources:
  Resources:
    ApiGatewayMethodYourMethod:
      Type: AWS::ApiGateway::Method
      Properties:
        Integration:
          RequestParameters:
            integration.request.header.User-Agent: 'token'

Hope this helps!