I have a lambda function with an authorizer sitting within an API gateway.
I notice that when I call the lambda function, on the first request the authorizer is invoked as expected, authorization passes, IAM role is assumed and grants access to the lambda function.
However, on subsequent requests, the authorizer is not invoked.
I assume this is due to authorization caching.
However, in the AWS console, in API gateway > Authorizers the authorizer has the following configuration:
Authorizer ID: iiii2l
Lambda Function
foo-authorizerV1-dev-authorizer (eu-west-1)
Lambda Invoke Role
arn:aws:iam::0000000:role/foo-authorizerV1-dev-AuthorizerRole-AAAAAAA
Lambda Event Payload
Request
Identity Sources
deviceID (header)
Authorization Caching
Authorization not cached
I would have thought Authorization Caching being set to Authorization not cached would mean that the authorizer would be invoked on every request.
Am I missing something here?
If caching is not enabled then API Gateway will call the authorizer on each request.
If you've made a change to the API Gateway in the console but haven't yet deployed the API it might seem like you have one thing configuration but behavior for another. I would check that the current configuration is deployed and retest.
Related
We've created a Websocket API through AWS Gateway that connects to a Lambda function, but in order to authorize the connection/API-request we need to create a lambda authorizer that is hit before the Lambda function. For now, this is the only option that AWS gives to authorize requests via gateway websocket connection. Hooking up the lambda authorizer is simple, but for some reason the AWS console is reporting an error that doesn't make any sense since the authorizer is attached to the $connect route
The authorizer has all the necessary permissions. I tried to conduct a simple sanity test and log the event that was being passed in, but the lambda authorizer is being completely ignored. Aside from the Lambda authorizer, the websocket API and Lambda function work together without any issues. There just seems to be a problem reaching the lambda authorizer.
If you have any idea why this is is happening, please let me know what we're doing wrong.
I have a lambda function exposed via API gateway but when I try to request it using fetch it is saying that I am forbidden to access it. How do I allow my function to call another function via API gateway?
There can be multiple reasons for it.
Check whether your API gateway endpoint is open or not. While specifying trigger for lambda you must have selected one option for security. You can edit this in API gateway Method Execution tab under Authorization Settings, select Authorization : None and API key required: false
You might not have enabled CORS on your api and due to that your api is not available on cross regions.
Your api gateway is not having access to lambda function. You can do that by attaching IAM role to your API gateway API which can trigger your lambda function.
I'm trying to implement Basic authentication, using this article as inspiration:
https://medium.com/#Da_vidgf/http-basic-auth-with-api-gateway-and-serverless-5ae14ad0a270
The application sets up as described:
WWW-Authenticate in the 401 response
Request Authorizer set up in the Authorizer section
Tie the authorizer to my endpoint, on the ANY method execution
I can test my custom authorizer using the Test feature under Authorizers successfully but when I call the API using curl (or anything else) there is no authentication. The authorizer lambda doesn't get called and there are no logs in CloudWatch.
Any idea where I could look next?
Remember to deploy API Gateway to apply settings before test.
To start off with, i am pretty new to AWS. Started with pretty basic API Gateway + Lambda integration. Below are my use cases.
Created a Lambda proxy Integration request with API Gateway, GET request which outputs the addition of 2 numbers passed through query parameters. Now if i access this API Gateway endpoint I am getting the desired result.
Now I have created custom authorizer, which is in turn a call to another lambda.
So a request will be validated by authorizer lambda prior hitting API Gateway endpoint. In this case authorizer is not invoked at all.
I have enabled Cloudwatch logs for API gateway & lambda, so below are issues i am facing,
Cloudwatch logs to API Gateway end point does not show the call to custom authorizer lambda.
Logs to end point lambda is seen correctly in lambda group, but unable to see the same for authorizer lambda.
I have followed the below AWS documentation nothing seems to help.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
Below is the API Gateway config. The authorizer configured is having a header token called 'Authorization', consumer of the API should provide the Authorization token while calling the endpoint, which is supposed to validated by Authorizer.
API Gateway Logs - Lambda configured was called directly without invoking Authorizer.
As mentioned by #Anup in the comments, you probably need to re-deploy the stage for the changes to take effect.
In my case I setup everything in terraform and couldn't figure out why the custom authenticater wasn't being called.
After adding variables to the deployment to trigger a redeployment, the custom authenticater was properly called as expected.
Make sure your lambda and gateway authorizer are correctly configured. A couple suggestions:
Verify if your lambda has the API gateway trigger. The trigger is created automatically when you assign your authorizer to a valid lambda function in the API gateway authorizer settings.
Verify if your lambda has a valid handler. The current assigned handler can be seen in your lambda's configuration page.
Make sure the Method Request Authorization of your resource is set to the correct authorizer
Deploy the gateway to guarantee the current API stage is using the displayed settings.
Even if your authorizer code doesn't work properly you should at least see an execution log in CloudWatch.
Just managed to solve the same problem. The request invoke authorizer sometimes but sometimes not.
When you create a custom authorizer, it automatically turns on the authorization caching. The default TTL is 300s.
https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html
My Flask app users Facebook OAuth 2 for authorization and is deployed on API Gateway and Lambda with Zappa. The app needs to request an authorizer token and I think I need to use a custom authorizer for this as the normal lambda cannot make external requests. I have setup the resource and linked it to the custom authorizer and that to my authorizer lambda, but I am getting an error and the lambda authorizer does not appear to have been called. What am I doing wrong?
Thanks
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/endpoint+error.png
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/no+events+in+lambda+monitoring.png
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/custom+autorizer.png
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/api+gateway+resource+setup.png