AWS Lambda Authorizer for API Gateway
This is a barebone AWS Lambda Authorizer for API Gateway.
It can be used as-is, in which case a default AWS IAM policy is used that allows access to all resources in the API using any HTTP method.
Configure through Lambda environment variables (see below).
Implement an API Gateway Authorizer Lambda functions as follows:
const lambdaAuthorizer = new (require('aws-apigw-authorizer')).ApiGatewayAuthorizer();
exports.handler = lambdaAuthorizer.handler.bind(lambdaAuthorizer);
Optionally, a custom function can be provided (as constructor argument) for building custom AWS IAM policies. The custom function will be called after succesfull authentication.
function customPolicyBuilder(event, principal, decodedJwt) {
return {
"principalId": "your principal - just a name",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": [
"arn:aws:execute-api:eu-west-1:region:api-id/stage/*/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"213.149.225.141/32"
]
}
}
}
]
}
}
}
const lambdaAuthorizer = new (require('aws-apigw-authorizer')).ApiGatewayAuthorizer(customPolicyBuilder);
exports.handler = lambdaAuthorizer.handler.bind(lambdaAuthorizer);
Configuration through environment variables:
Your lambda function should be configured using the following environment variables.
ALLOWED_IP_ADDRESSES
It is mandatory to explicitly specify which remote IP adresses/address rangers are allowed to access the API.
ALLOWED_IP_ADDRESSES can be set to 0.0.0.0/0
for public access.
Individual IP-addresses can be specified, or ranges using CIDR-notation, multiple entries separated bij comma's.
Example:
ALLOWED_IP_ADDRESSES=213.149.225.141/32,213.149.225.141
BASIC_AUTH_USER_XXX
Users allowed access through HTTP Basic Authentication can be configured as follows:
BASIC_AUTH_USER_mike=mikespassword
BASIC_AUTH_USER_lisa=lisaspassword
This is an optional environment key, without which Basic Authentication is not enabled.
AUDIENCE_URI, ISSUER_URI, JWKS_URI
For JWT authentication provide a value for AUDIENCE_URI
, ISSUER_URI
and JWKS_URI
Example:
AUDIENCE_URI=123456cc-cd12-1234-ff66-7897fabcd12
ISSUER_URI=https://sts.yourserver.com/876abc-ab12-8765-ff43-75232abc/
JWKS_URI=https://login.yourserver.com/common/discovery/keys'
These are optional environment keys, without which JWT Authentication is not enabled.