Secure your API Gateway with Lambda Authorizer | Step by Step AWS Tutorial
Вставка
- Опубліковано 24 січ 2021
- Using AWS API Gateway and Lambda based authorizers, we can secure our API Gateway REST endpoint. Learn how to do it in this step by step tutorial.
Looking to get hands on experience building on AWS with a REAL project? Check out my course - The AWS Learning Accelerator! courses.beabetterdev.com/cour...
Interested in Authentication using Cognito instead? Check out • Secure your API Gatewa...
04:46 Creating an API Gateway Endpoint
07:04 Creating an AWS Lambda Function
09:10 Connecting API Gateway to Lambda
11:55 Creating a Lambda Authorizer for API Gateway
21:05 Testing our Authorizer
21:36 Connecting our Authorizer to our API Gateway Endpoint
🎉SUPPORT BE A BETTER DEV🎉
Become a Patron: / beabetterdev
📚 MY RECOMMENDED READING LIST FOR SOFTWARE DEVELOPERS📚
Clean Code - amzn.to/37T7xdP
Clean Architecture - amzn.to/3sCEGCe
Head First Design Patterns - amzn.to/37WXAMy
Domain Driver Design - amzn.to/3aWSW2W
Code Complete - amzn.to/3ksQDrB
The Pragmatic Programmer - amzn.to/3uH4kaQ
Algorithms - amzn.to/3syvyP5
Working Effectively with Legacy Code - amzn.to/3kvMza7
Refactoring - amzn.to/3r6FQ8U
🎙 MY RECORDING EQUIPMENT 🎙
Shure SM58 Microphone - amzn.to/3r5Hrf9
Behringer UM2 Audio Interface - amzn.to/2MuEllM
XLR Cable - amzn.to/3uGyZFx
Acoustic Sound Absorbing Foam Panels - amzn.to/3ktIrY6
Desk Microphone Mount - amzn.to/3qXMVIO
Logitech C920s Webcam - amzn.to/303zGu9
Fujilm XS10 Camera - amzn.to/3uGa30E
Fujifilm XF 35mm F2 Lens - amzn.to/3rentPe
Neewer 2 Piece Studio Lights - amzn.to/3uyoa8p
💻 MY DESKTOP EQUIPMENT 💻
Dell 34 inch Ultrawide Monitor - amzn.to/2NJwph6
Autonomous ErgoChair 2 - bit.ly/2YzomEm
Autonomous SmartDesk 2 Standing Desk - bit.ly/2YzomEm
MX Master 3 Productivity Mouse - amzn.to/3aYwKVZ
Das Keyboard Prime 13 MX Brown Mechanical- amzn.to/3uH6VBF
Veikk A15 Drawing Tablet - amzn.to/3uBRWsN
🌎 Find me here:
Twitter - / beabetterdevv
Instagram - / beabetterdevv
Patreon - Donations help fund additional content - / beabetterdev
Code: gist.github.com/beabetterdevv...
#APIGateway
#Lambda
#AWS
![Lp. Последняя Реальность #97 ЧЁРНАЯ МАТЕРИЯ [Анти Скинт] • Майнкрафт](http://i.ytimg.com/vi/k4MjXCzKsYw/mqdefault.jpg)
Thanks, very clear explanation!
What an amazing video. Clear and very well organized explanation . It worked like a charm for me. Thank you for your work!
Awesome! I appreciate this clear and easy demo.
You're very welcome!
Greetings from São Paulo/Brazil my friend, congratulations for your incredible work.
Thank you! Cheers!
Awesome video. To the point and crystal clear. Thank you for making this video. Definitely going to recommend this channel to my peers!
Thanks Vighnesh for the kind words and super glad you enjoyed!
@@BeABetterDev hey boss, I follow your steps step by step, when I test the authorizer I get a "AuthorizerFailureException" error any clues why this would be?
@@BeABetterDev my devs are using a lambda function authoriser using auth0 for an api gateway but ever so often when a client tries to access an endpoint to do a PUT or POST method for example the token has already expired. Any ideas ?
Can't wait to see another interessting video, great content as always.
Keep the good work !
Thank you very much!
what a clear explanation, great job
Thanks Mohamed! Glad you enjoyed and thanks for the support!
Awesome video. To the point and crystal clear. Thank you for making this video.
You're very welcome!
I'm so grateful!
Without this crucial information about delay on 22:08 I was unable to attach my authorizer to a method.
Great video, it helped me understand the flow. Thanks a lot
The is exactly the foundation I needed to get started with gateway auth. Thank you thank you thank you thank you thank you.
Your tutorials are great and helpful.
Thanks so much Vinod!
Very useful, thank you!
Great tutorial!!!! Thank you
Thank you. Awesome video.
Really clear and helpful. Thanks.
You're very welcome!
This was really easy to follow! Thank you!
You're very welcome Neha!
Excellent Demo! Thankyou soo much sir
You're very welcome sudhir!
beautifully explained
Thank you!! Very well explained.
Glad it was helpful!
Nice video, help me a lot !!
Your work is appreciated.
Thank you!
Excellent video! Keep up the good work.
Thank you very much!
We expect more videos from you.. like this thankyou
Great video! Thanks
You're very welcome Breno!
Very good video! Thanks a lot!
Thanks Mohammed! Glad you enjoyed.
This is some good work. Thanks.
Thanks Himanshu! Glad you enjoyed.
Oh YEAH! Gonna watch this tonight! Thanks man!
Hope you like it!
@@BeABetterDev It was awesome. Thanks again! I also appreciate linking to the source code Gist.
Awesome!!! TRhanks a lot.
great stuff, thank you!
My pleasure!
Super Explanation !!
Thanks Prasad!
Super helpful, thanks.
You're very welcome Pedro!
Legend, I had my handler make requests to the auth service and not working, this is so handy. Thanks
Awesome dude. Thank you
You're very welcome satya!
Appreciate your knowledge !
Glad you enjoyed Kunal!
Very helpful video. I had it done through cloudformation template and it worked. Keep up the good work.
Glad it helped Vijay!
Oh My this video is a life saver
Thanks so much for this
You're very welcome!
Thank you
Great, to the point video, exactly what I wanted. Thank you. Does anyone know if a request header can be updated in the custom authorizer before the sending the request to the service fronted by the API gateway?
You are a day saver.
Crystal Clear Bro
Thank you Thamizhi!
Thank you, Amazing Video
You’re very welcome!
thanks man
Great video!!!!
Thanks Alexandre!
This is very helpful.
Thank you!
Thankyou this is really helpful to me...
Youre very welcome Vijay!
wow thanks!, you saved me hours of time.
Glad I could help.
thank you
2:37 I think they make you return a relatively complex policy document (as a opposed to a simple "Allow"/"Deny") so that you can Allow/Deny for an array of resource ARNs.
Hi Vishal
I think you're right, doing it this way gives a lot of flexibility to developers to produce some interesting experiences.
Thanks for watching!
You're right Vishal. In that way one could allow/deny an entire "tree" of related endpoints based on a role, for instance.
thanks for the great tutorial, really helpful! one thing I still can't get, how can we pass actual tokens to this lambda authorizer (as in instead of"abc123" in this example)?
This is fantastic. Would love to see, how and where authorization token is generated. Do you have a video on that?
Hi Krishnan, I have another video coming out soon on securing your API using Cognito which uses user tokens. Stay tuned!
Hi ! Always great . I still dont understand how you authenticate the user ,how the user got the autherization token.
thank you!
You're very welcome!
Great 🎉
Were exactly is policy document configured? How is the policy response format is validated? Based on Policy response from authorize, how does API gateway interpret to have the intelligence to allow or deny a request? These clarity on these to get full understanding of nicely explained video.
Thanks
Thank you so much!
How can we contruct authResponse , Is there ant predefined json there we can use ?
can you do a nodejs version for this please?
Nice, is it possible to use AWS_IAM authorizer with the lambda authorizer too?
It seems to serve the same purpose as creating an API key but has more developed options.
I do this authorization in my lambda functions. I read the API key from body/header, check it's OK, and if it is I run the rest of the code. Is there any reason why I shouldn't be doing this? Any cost or anything else reasons? The only thing I can think of is that you have a single 'authorization function', but I don't know if I'm missing anything else. Thank you. And great videos BTW. Helped me a lot getting a project using Lambda and Dynamo up and running properly.
Perfect explanation special thanks from Tamil Crypto
You're very welcome!
Awesome! Thanks
I have doubt, can i return a different response if is it Unauthorized ? A custom object ?
And I have troubles to get that message "Unauthorized" from Angular, always return status 0, from postman all Ok
Hi how can we find policy document which was in authResponse?
Is putting account ID into the policyDocument good practice? Is there any other way to do that?
Thanks for this! Exactly what I am looking to implement next! What's the program you're using for the architecture diagram??
Hi Rosbel! You're very welcome. The software I am using is called www.draw.io !
Hi, thanks for the video!
Configure exactly the same as mentioned but with the difference that my API is not in a lambda. I redirect http traffic to my server.
When I post to my API I get the following error: "Message": "User is not authorized to access this resource"
Do you know what that could be? Thanks!
Keep this up brohhh
Will do! Thanks Amila.
I have created the rest API as per your suggestion. But the only difference is that is a private API as I cannot create a regional API. This is creating issue while trying to call authorizer lambda as it is mandatory to give resource policy to the API. Could you please suggest how to do the authorization for a private rest API?
Can we configure customerId and authToken both to AuthLambda?
good video
Thanks!
Thank you this is incredible. Quick question, how does the end user of the API provide the authorizationToken? After I deploy the API and I need to share it with my end users, what step is needed for them to invoke this API and enter the token?
Can you please clarify?
Thank you!
Hi Anuradha,
Great question. So this method (using a Lambda authorizer) assumes you are using you are validating your users login and password through a separate API and generating a token that is stored in a database somewhere.
When calling the API in this video, the token would be provided as an input and validated by the Lambda authorizer by inspecting the token to ensure it is in the database.
This is just one way of doing it but hopefully it gives you an idea of how it could be done. If you are looking for an easier way to manage user credentials and tokens, check out my other video where I did the same thing with API gateway, but used a Amazon Cognito user pool authorizer. Link here: ua-cam.com/video/oFSU6rhFETk/v-deo.html
Hope this helps,
Daniel
@@BeABetterDev Thank you Daniel
hello , i don't know much about it, can u please how can resolve 403 Forbidden error showing in my postman response. or do i need to change any other setting ?
Thanks for a helpful tutorial.
Why name the GET lambda function DemoHandler? Doesn't this function return 'customer' data? Why not name it CustomerHandler?
Can we use this Authorizer (lambda function that authorises the token) for multiple lambda functions (lambda function that returns the actual response)?
Hello, Thanks for your videos that are very clear. I am new in AWS but it seems that the console has changed and I do not see the same thinks that you present. Your version seems much better. Do you think how I could use the same console version as yours ? For example in my version I do not find any test capability. I do not have resource menu ...
I answer my own question;-) It could help someone else. I finally found the reason, I created an HTTP API and not a REST API. It leads to have a different UI.
Hi Damien. You beat me to it. It looks like the AWS team is slowly migrating users to HTTP APIs, but the concepts demonstrated in this video should remain the same.
Daniel
can I create authorizer in sam local api gateway ?
Hey i have doubt we are having two functions one for authorization and another for the actual request cant we end making use of one function only in which first we'll perform authorization and then perform the rest of the task.
Thanks for the video. I have a doubt about what the difference is if I'm writing the logic to authorize the Api in connect Lambda itself instead of a custom lambda authorizer.
Suppose you have 100 different lambdas . Then you will have to write the same code 100 times . Using this you just need to attach this lambda to every lambda .
Hi man , hope you're doing well , your youtube channel is teaching gold and i need to spend a lot of time in here but i dunno where to start knowing that i'm new to aws , could you or anyone of your fans help me please ? i appreciate your help
Have a question. Is it safe to use payload info in my access token from my backend lambda handler without decoding the token with public key as far as its been verified in lambda authorizer??
Could I use this same methodology if my authorized resource is a Python flask api? Basically, I want to use this method to authorize access to my Python api
Hi , Make video using azure ad group for api auth restrictions using lambda authorizer.
How can I attach the custom response to the authorizer? On Deny i wanna response with custom message.
what is the advantage of this vs handling the authorization in the original lambda handler with your business logic?
Doing it in your Lambda function means you're mixing your function's implementation with authorization concerns. Ideally we want to separate our concerns and use the SRP (single reponsibility principle).
Wow
Hi, a very good video on this! I have a question though, what is principalID and why is it set to the same value as the passed auth value? Also, I see that it is hard-coded. So, if I have a bunch of people, each with a different token value, what do I have to do in this case? Thanks, cheers!
That's a good question. This video also doesn't talk about API Gateway input parameters. Can we get inputs coming to API gateway to the lambda authorizer in POST method? (I know it can be done using query string but query string is not safe because request appends to URL in that case.)
Could you please do a video on using a Cognito Authorizer for securing API Gateway?
Hi Nitsy, this is coming soon. Thanks for the suggestion!
Quick question. If we are using two lambdas (one for authentication and another one for the actual request), doesn't that mean that we may need to cold start both functions? That will increase dramatically the latency between request and response.
In my experience a C# lambda function cold start may add at to 7 seconds in comparison with a warm start.
You may want to check caching in Lambda Authorizer
Yes it does latency. Which is why I recommend writing the authorizer function with Rust.
Can we do with Cognito Authorizer and access to some particular API gateway resource?
Hi Dhanu, Yes! You should check out Cognito Identity Pools which accomplish exactly this!
@@BeABetterDev I tried with the cognito identity, but couldn't achieve that. Can you do a video on congito identity to achive the IAM roles to access API gateway.
What if i need to return token expired 401 error?
I dont get, the test within AWS is working, but the test with postman is always wrong.
I dont have the "explicit deny", everytime the "User is not authorized to access this resource"
Anyone with the same issue?
I set the ARN like this and worked , note the last backslash: arn:aws:execute-api:us-west-2:YYYYYYYYYY:XXXXXXXX/test/GET/customers/
@ yes thanks ! "Resource": "arn:aws:execute-api:{regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/[{resource}/[{child-resources}]]" as per doc.
For cors problem:
1. Api gw, enable cors
2. allow headers
If we have api key as authorisation why we need lambda
is it possible for anonymous user ?
We're gonna pass in authorizationToken from the user's perspective. Where?! In the header?, the body?, the query params?
I followed each step but still when I am sending request in podman it is not printing hello world output.
How does your Lambda Authorizer detect if an IAM user has been Disabled. We have a two client servers. The first one uses a payload of just the base64 token of the username : password while the other server uses the username and password (password is masked). When I have an active test user, they are allowed to access the API gateway. However when that same user is Disabled (password is null) in IAM, that user should not be allowed to access the gateway. I don't want to program a credentials report csv file using boto3 that's encoded to base64. This would expose too much account user info - very risky. Is there another way for the Lambda function to determine when an IAM user has been deactivated? Thanks
When I test it in console, it's working fine but in postman it's returning 400 bad request. Please help.
Hi Himanshu,
Are you remember to put the /resourceName when making the request? Also make sure you are using the correct type (GET or POST)
@@BeABetterDev Yes. Although I am using jwt based authorization. I am able to get correct policy in my aws console so I could not find any reason why it's not working with postman or my front-end.
My fetch request looks like this:-
return await fetch(GET_CUSTOMERS_URI, {
method: 'GET', // *GET, POST, PUT, DELETE, etc.
mode: 'cors', // no-cors, *cors, same-origin
cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
credentials: 'same-origin',
headers: {
'authorizationToken': 'Bearer ' + token,
'Content-Type': 'application/json',
},
redirect: 'follow', // manual, *follow, error
referrerPolicy: 'no-referrer',
})
It's working fine when I change authorization to none in /customer resource and I get data. But with authorization, it's giving 400 bad request error.
I’m getting CORS error