A guide to Lambda authorizer for Amazon API Gateway

Workflow of Lambda Authorizer
Workflow of Lambda Authorizer

In our previous post, we talked about how to use the Cognito authorizer to control access to the API Gateway. What if you don't use Cognito or want to implement your custom logic to figure out whether the user can have access to your services or not. This is where a Lambda Authorizer will help you.

A Lambda Authorizer was also known as Custom Authorizer is an API Gateway feature that will let you write your logic inside a Lambda function to control access to your API.

When a client makes a request to your API which is configured with a Lambda Authorizer, the data from the request is passed to a Lambda function to decide whether to grant access to the user or not. The response from the  Lambda function is an IAM policy with the required permissions.

When a client requests one of your API's methods, API Gateway calls your Lambda authorizer, which takes the caller's identity as input and returns an IAM policy as output.

Benefits of Lambda Authorizer

There are some benefits of using the Lambda Authorizer if you have custom logic for controlling access. You don't have to create a package and then control the version of the package in all your repositories that deal with the auth. Lambda Authorizer will package that logic in one function and if in future the logic changes, you can just deploy the function and the rest of the services will use it.

You might be using a hosted auth service like Auth0 to handle all the users in your application. To verify the token, you will need to make a call to Auth0. Making this call once and caching the response so you can use it for another request up to a predefined time is a good optimization.

Drawbacks of Lambda Authorizer

Lambda Authorizer is not a good service. it has some drawbacks too. The major disadvantage of using a Lambda Authorizer is to deal with the cold start problem of Lambda in another layer before executing the code. This can be sorted out to an extent by caching the policy but it is still a problem.

Types of Lambda Authorizer

There are two types of Lambda Authorizer you can create:

  • Token-Based: A token-based lambda authorizer will receive a token from the request that can be used to verify and define whether this token should be given access to the API or not.
  • Request-Based: A request based Lambda Authorizer will receive all the information related to the request like headers, params, query etc. to decide whether the incoming request should be given access to the API or not.

Token-Based Lambda Authorizer

An example of the Token-based Lambda Authorizer function.

async function validateAuthToken(token) {
  // perform the operation and return the action accordingly
  return "allow";
}

async function generatePolicy(action, event) {
  // generate the IAM policy here
}

exports.handler = async function (event, context) {
  const token = event.authorizationToken;
  const action = await validateAuthToken(token);
  return await generatePolicy(action, event);
};

The above Lambda function will receive the event with the Authorization token. The token can be used to validate the use trying to access the API and whether they are allowed to access the method or not. Once the final action is generated i.e. either allow or deny, you can generate an IAM policy to return to the API gateway for the execution of the policy.

Request Based Lambda Authorizer

An example of the Request Based Lambda Authorizer function

async function generatePolicy(action, event) {
  // generate the IAM policy here
}

exports.handler = async function (event, context) {
  console.log("Request Received:", JSON.stringify(event, null, 2));
  const { 
      headers, 
      queryStringParameters, 
      pathParameters, 
      stageVariables
  } =  event;

    // Use the above information to decide whther the user should be allowed to access the API or not

    return await generatePolicy()
};

The above Lambda function will receive the event with the request information in it. You can extract headers, path parameters, query strings etc which can be used to define whether users can access the API or not. Once the final action is generated i.e. either allow or deny, you can generate an IAM policy to return to the API gateway for the execution of the policy.

Conclusion

Lambda Authorizers for API gateway provides the flexibility to control the access on various factors. there are some disadvantages like cold starts and etc. You can use it if you need it but use it with some caution and proper cache strategy to avoid some of the pitfalls.

I will be writing a post with the code example related to the Request-Based Lambda Authorizer. Till then Happy Coding.