Custom authorizer

Creating custom authorizer using SAM


AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  Api:
    Type: AWS::Serverless::Api
    Properties:
      StageName: devtesting
      DefinitionBody:
        swagger: "2.0"
        info:
          title:
            Ref: AWS::StackName
        description: My API that uses custom authorizer
        version: 1.0.0
        paths:
          "/getmesomething":
            get:
              x-amazon-apigateway-integration:
                httpMethod: GET
                type: aws_proxy
                uri:
                  Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyLambdaFunction.Arn}/invocations
                responses: {}
              security:
                - CustomAuthorizer: []
        securityDefinitions:
          CustomAuthorizer:
            type: apiKey
            name: Authorization
            in: header
            x-amazon-apigateway-authtype: custom
            x-amazon-apigateway-authorizer:
              type: token
              authorizerUri:
                Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${CustomAuthorizerFunction.Arn}/invocations
              authorizerCredentials:
                Fn::Sub: ${ApiGatewayAuthorizerRole.Arn}
              authorizerResultTtlInSeconds: 60
  MyLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: simpleIndex.handler
      Runtime: nodejs6.10
      Role: "arn:aws:iam::203837324023:role/lambda_basic_execution"
      CodeUri: s3://authorizerbucket/simpleIndex.zip
      Events:
        GetApi:
          Type: Api
          Properties:
            Path: /get
            Method: GET
            RestApiId:
                Ref: Api
  CustomAuthorizerFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: simpleIndex.handler
      Runtime: nodejs6.10
      Role: "arn:aws:iam::203837324023:role/lambda_basic_execution"
      CodeUri: s3://authorizerbucket/simpleIndex.zip
  ApiGatewayAuthorizerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "apigateway.amazonaws.com"
            Action:
              - sts:AssumeRole
      Policies:
        -
          PolicyName: "InvokeAuthorizerFunction"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action:
                  - lambda:InvokeAsync
                  - lambda:InvokeFunction
                Resource:
                  Fn::Sub: ${CustomAuthorizerFunction.Arn}
  CustomAuthorizerFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSLambdaFullAccess

Comments

Post a Comment

Popular posts from this blog

Integrate an API with lambda - Part 5

Image
In this part of the blog we will cover the section Integration Response  in detail. This is where we configuration how the response needs to be mapped. On clicking the  details we get a similar screen In here we could add multiple integration responses. This is a very important section for output error code mapping.  If we intend to capture some keyword coming from backend we can use regex expression to filter response and handle the conversion. For example, we could expression .*exception*. to filter responses which has exception occurring any where and map it to error code like 500. Below screenshots shows the steps involved in achieving this.
Read more

Integrate an API with lambda - Part 2

Image
Let us look at the configuration of method request section The first setting is about authorization. Default option is none. The provided option is AWS IAM. But we can also use custom authorization if we need such a feature. We can create and add an authorizer to the section as shown below During the creation of authorizer several options are available. The first choice we have is the type of authorizer. Two possible values are lambda or cognito. If we choose lambda then we have a set of options. We need to provide the name of the lambda function.  This lambda function is responsible for validating the user and providing the necessary policy back. This policy will be evaluated and the user is either allowed or denied access to the resource.  For the lambda based authorization there are couple of options. We could use either token based approach or request based approach.  In the token based approach the user is expected to provide a valid token and th...
Read more