I have the following serverless.yaml:
getSth:
handler: src/handlers/getSth.getSth
events:
- http:
path: getSth
method: get
cors: true
private: true
authorizer: authorizerFunc
authorizerFunc:
handler: src/handlers/authorizer.authorizer
getSth handler:
module.exports.getSth = async (event, context) => {
const response = {
statusCode: 200,
body: JSON.stringify({message: "nice you can call this});
}
return response;
}
authorizerFunc:
module.exports.authorizer = async (event, context) => {
console.log('i will fail your authorization');
let response = {
isAuthorized: false,
context: {
stringKey: "value",
numberKey: 1,
booleanKey: true,
arrayKey: ["value1", "value2"],
mapKey: { value1: "value2" },
},
};
return response;
}
That results in getting respons 200 in spite of the fact authorizer should not allow to execute that getSth function. Also console log 'I will fail your authorization' is not logged.
What am I doing wrong ?
I have tried to analyse your code and find several points where you can start digging.
Private functions
The key private: true actually makes API Gateway require an API key. I did now not try myself but perhaps private: true and an authorizer do not go together.
Strange still that you are able to call the function then. How do you call the function? From the CLI or through API Gateway and an API testing tool such as Postman or Insomnia?
Authorizer Configuration
Your authorizer configuration is definitely correct. We do have the very same setup in our code.
Authorizer Events
An authorizer function gets an APIGatewayTokenAuthorizerEvent in and should reply with a APIGatewayAuthorizerResult. The latter looks closely like an IAM statement and we do not use the field isAuthorized: false as per your example. I do not understand where this field is coming from. Our result to allow a request looks more or less like the following:
{
"principalId": "<our auth0 user-id>",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "*"
}]
}
}
Note how the field principalId refers to the username we get from our identity provider (Auth0). And in reality looks something like this: auth0|6f84a3z162c72d0d0d000a00.
Further, we can allow or deny the function call via the Effect field which can hold the values Allow or Deny.
Finally, you can specify which resource the caller is permitted to call. For simplicity of this answer I put * there. Of course in the real world you can pull the ARN of the called function from the event and context and pass that into the policy document.
Opinion
We also had a hard way of figuring this out via documentation from AWS. Of course for AWS the preferred integration would be via AWS Cognito (which I also do prefer due to the more streamlined integration. We benefited quite a bit form the use of TypeScript here which we use to enforce types in and out of our Serverless functions. This way it was rather easy to figure out how the response needs to look like.
Background
We use the custom authorizer integration to allow a user base already existing in Auth0 consume our Serverless based APIs via application clients or single page applications.
I created a REST api gateway in AWS and configure it to pass through all requests to a http endpoint. The configuration I have is
After deploy to a stage (dev) it gives me an invoke URL, like https://xxxx.execute-api.ap-southeast-2.amazonaws.com/dev,
it works fine if I invoke the url by appending a sub path like: https://xxxx.execute-api.ap-southeast-2.amazonaws.com/dev/xxxxx`, I can see it forward the request to downstream http endpoint. However it doesn't forward any request if I invoke the base url: https://xxxx.execute-api.ap-southeast-2.amazonaws.com/dev. How can I make it work with the base invoke url without any subpath?
I tired to add an additional / path resource in API gateway but it doesn't allow me to add it.
The application must be able to receive requests at any path, including the root path: /. An API Gateway resource with a path of /{proxy+} captures every path except the root path. Making a request for the root path results in a 403 response from API Gateway with the message Missing Authentication Token.
To fix this omission, add an additional resource to the API with the path set to / and link that new resource to the same http endpoint as used in the existing /{proxy+} resource.
The updated OpenAPI document now looks like the following code example:
{
"openapi": "3.0",
"info": {
"title": "All-capturing example",
"version": "1.0"
},
"paths": {
"/": {
"x-amazon-apigateway-any-method": {
"responses": {},
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": ""
}
}
},
"/{proxy+}": {
"x-amazon-apigateway-any-method": {
"responses": {},
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": ""
}
}
}
}
}
I want to create API Gateway connected to Lambda function with Alias, I have IntegrationRouteTargetProvider which is providing integration routes to the API. I got the URI from the lambda so I think it is correct. Also I checked number of SO questions and also in the documentation is arn:aws:apigateway:{region}:{subdomain.service|service}:path|action/{service_api}.
My uri is
arn:aws:apigateway:eu-central-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-central-1:051069080387:function:deploy-test-4-lambda/invocations.
However when I'm trying to create the api I get error:
Unable to put integration on 'ANY' for resource at path '/': Integrations of type 'AWS_PROXY' currently only supports Lambda function and Firehose stream invocations.
Here is my IntegrationRouteTargetProvider:
export class AliasLambdaProvider implements IntegrationRouteTargetProvider {
target(name: string, parent: pulumi.Resource): pulumi.Input<IntegrationTarget> {
return {
type: "aws_proxy",
uri: 'arn:aws:apigateway:eu-central-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-central-1:051069080387:function:deploy-test-4-lambda/invocations',
};
}
}
and than using it when creating API
return new API(name, {
routes: [
{
path: "/",
target: new AliasLambdaProvider()
}
],
stageName: name + "-stage"
}, { provider });
You're using:
type: "aws_proxy"
Which means everything is passed to the lambda and headers need to be handled at the lambda. Integration is disabled for AWS_Proxy type, thus the error. However, if you wanted to define integration methods/mapping templates etc, use:
type: "aws"
I want to create a step function API using API gateway using Terraforms api_gateway_integration and sfn_state_machine.
I am at the point where I have to fill the uri-parameter at the api_gateway_integration.
My step function was created, I can reference the id of the step function (something like arn:aws:states:*region*:*account*:stateMachine:*step-function-name*:stateMachine:*step-function-entry-point*).
Can anyone tell me the scheme or an example of how the uri-parameter will have to look, if an AWS step function is the target?
resource "aws_api_gateway_integration" "endpoint_integration" {
...
integration_http_method = "POST"
type = "AWS"
uri = <<<<< What to place here???
}
In contrast to Terraform-integrate an AWS lambda with an API gateway, you cannot point from an API gateway to a specific AWS state machine "directly" (using the "uri"-parameter"). Instead, the aws_api_gateway_integration-resource points to the AWS state machine in general, the specific AWS state machine will be referenced by AWS ARN as part of the request. You can use an API gateway request template for mapping from the API gateway to the specific state machine, so that you can omit die stateMachineArn when requesting your API. For detailed explanation have a look at AWS documentation "Creating a Step Functions API Using API Gateway".
Working example
# var.aws_region = eu-central-1
# var.sfn_orchestrater_arn = arn:aws:states:eu-central-1:*account*:stateMachine:*step-function-entry-point*
resource "aws_api_gateway_integration" "endpoint_integration" {
http_method = "POST"
integration_http_method = "POST"
type = "AWS"
passthrough_behavior = "NEVER"
uri = "arn:aws:apigateway:${var.aws_region}:states:action/StartExecution"
request_templates = {
"application/json" = <<EOF
{
"input": "$util.escapeJavaScript($input.json('$'))",
"stateMachineArn": "${var.sfn_orchestrater_arn}"
}
EOF
}
}
How can I get the identity id of the user (logged in by AWS Cognito) that invoked an AWS Lambda function? Do I have to use the SDK on the Lambda function to get the identity id?
In AWS javascript SDK inside lambda function just use
context.identity.cognitoIdentityId
It is working for me
If anyone else stumbles upon this, I think this will help you a lot.
Note this only applies if you're using the Cognito User Pool Authorizer. If you want to use AWS_IAM with Cognito Identitys check out my github example https://github.com/VictorioBerra/js-cognito-auth-example (read down to EDIT area below)
If you have "Use Lambda Proxy Integration" checked then you wont have access to Request Template Mappings. But you can get to the claims inside the token in your lambda function:
exports.handler = (event, context, callback) => {
//create a response
const response = {
statusCode: 200,
body: JSON.stringify({
"user email": event.requestContext.authorizer.claims.email,
}),
};
callback(null, response);
};
EDIT - More information for using AWS_IAM as APIG authorizer
Basically you need to have your APIG secured with AWS_IAM AND you must auth via a Cognito Federated Identity which will return a sessionToken example using user pools. This is what makes the AWS IAM credentials temporary. Now you have everything you need to auth to your APIG.
To test this, download the desktop version of postman, toss in your API URI (grab this from the stages area) and then under Authorization fill out the 5 fields you need for Sig4 signing. You will see 'event.identity' object in your lambda function is loaded up with properties such as the user object.
If you want to use the APIG auto-generated SDK it comes built in with a factory that takes the accessKey, secret, and token and signs everything for you. Same with the aws-sdk. You can init the credentials with those three items and it will automatically sign all requests for you with those temp creds. If you want to straight up manually hit your API with window.fetch, request, curl, (insert http client here) you can calculate your own Sig4 (beware it can be a little complicated or use a modern library to do it for you.
Also for the record, while doing my research I noticed that if you want to NOT use AWS_IAM as an APIG authorizer, and you want to use "Cognito Identity Pool Authorizer" which is a fancy new option in the dropdown in APIG you can still get a ton of info on the user in the lambda event if you just pass the JWT gained from a successful Cognito popl auth to the APIG as the Authorization header. Inside that JWT is a lot of attributes which you can customize in your pool settings.
IMO professional opinion I think using the AWS_IAM temp creds authorizer is preferred. This way, you can use as many different IdPs as you want in Cognito Identities (Facebook, Twitter, pools, etc.)
If you go through API Gateway, you can pass the cognito id (as well as the user arn and other useful information) to Lambda. This solved the issue for me.
http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html
Per the docs, it looks like information about the identity provider would only be available for an invoke through the Mobile SDK.
To get around this, one option is to pass the identity ID to the function manually as part of the event. Assuming you are doing something like AWS.config.credentials = new AWS.CognitoIdentityCredentials(...) then you should be able to get the ID via AWS.config.credentials.identityId (after the credentials are refreshed).
EDIT: A better option for identity validation is to let Cognito/IAM handle it, and assume that if a user can successfully invoke a Lambda function, that means they are allowed to. In this case to manage per-user validation, take a look at whitelisting.
For anyone else still struggling to obtain the IdentityId of a Cognito User in a Lambda Function, after many hours of exploration, I discovered that the IdentityId can be obtained within a Lambda Function in the following ways depending on the method you use to invoke the Lambda Function:
Invocation via an API-Gateway trigger with a Cognito User Pool Authorizer
The IdentityId can be obtained in the following way:
const IDENTITY_POOL_ID = "us-west-2:7y812k8a-1w26-8dk4-84iw-2kdi849sku72"
const USER_POOL_ID = "cognito-idp.us-west-2.amazonaws.com/us-west-2_an976DxVk"
const { CognitoIdentityClient } = require("#aws-sdk/client-cognito-identity");
const { fromCognitoIdentityPool } = require("#aws-sdk/credential-provider-cognito-identity");
exports.handler = async (event,context) => {
const cognitoidentity = new CognitoIdentityClient({
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient(),
identityPoolId: IDENTITY_POOL_ID,
logins: {
[USER_POOL_ID]:event.headers.Authorization
}
}),
});
var credentials = await cognitoidentity.config.credentials()
console.log(credentials)
// {
// identityId: 'us-west-2:d393294b-ff23-43t6-d8s5-59876321457d',
// accessKeyId: 'ALALA2RZ7KTS7STD3VXLM',
// secretAccessKey: '/AldkSdt67saAddb6vddRIrs32adQCAo99XM6',
// sessionToken: 'IQoJb3JpZ2luX2VjEJj//////////...', // sessionToken cut for brevity
// expiration: 2022-07-17T08:58:10.000Z
// }
var identity_ID = credentials.identityId
console.log(identity_ID)
// us-west-2:d393294b-ff23-43t6-d8s5-59876321457d
const response = {
statusCode: 200,
headers: {
"Access-Control-Allow-Headers": "*",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods" : "OPTIONS,POST,GET,PUT"
},
body:JSON.stringify(identity_ID)
};
return response;
}
Why?
Invoking a Lambda Function using an API-Gateway trigger with a Cognito User Pool Authorizer will result in the following fields (among additional fields which have been removed for brevity) being available in the event of the invocation:
{
"resource": "/{proxy+}",
"path": "/_",
"httpMethod": "POST",
"headers": {
"Authorization": "eyJrmlaod8(kyC9zdspo0jZIYjRENFlCNVBidnksl89DNm9USDJrT25MSDhjXC9EYkIzMzQ8389iYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI8389yNDg4Ny0wYTRdkiuiOGQtODA4My1kNmIyYzZhYWNhN2YiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfZ3dPMjlMckR4IiwiY3VzdG9tOmZpcnN0X2tleSI6ImZhbHNlIiwiY29nbml0bzp1c2VybmFtZSI6IjJjNjI0ODg3LTBhNGItNGE4ZC04MDgzLWQ2YjJjNmFhY2E3ZiIsIm9yaWdpbl9qdGkiOiI0ODEzYzk1Ni01MDM0LTQzNmItYjE5OS00MWZjN2U1ZTQ0ODciLCJhdWQiOiJyNjdwOGdxNnQ5cHJrc2JyYmtxMDVoM2NuIiwiZXZlbnRfaWQiOiJmOWRlNWMxOC0yMTNlLTQ2NDgtOGY4MC1mODdhYWJhNWM4NGUiLCJjdXN0b206YXBpX2tleV9JRCI6Imhoa2hpMmw5cTkiLCJjdXN0b206YXBpX2tleSI6InVzLXdlc3QtMjplOTBkYmUzZC0wN2FhLTRjODQtOGQ0Ny04NjJmZDJhNzQ1MGZfcm5Zalk2YmhaT0lkWXhDcDBDcjNYZWVaYzFuT3ViZnkzdEs5aEtFRFVIZ3FJd1BSTVJuQ2pyWlJYdGNBSVpqWTVnMFFyejN3ek1keGoiLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTY1ODA0ODg1OSwiZXhwIjoxNjU4MTM2MTk3LCJpYXQiOjE2NTgxMzI1OTcsImp0aSI6IjdmNTdiYWZlLTA1ZGUtNDgwZC1hMDgzLWY1MjlhN2YzNmI2YiIsImVtYWlsIjoidHJldmVuYXc3QGdtYWlsLmNvbSJ9.hk-8ajGP2jO0RQvzwZWp2d5T1BLiWL9q6vvrbXemLBbd2kb1kkBSvklfC_7WWvJoy1ukwNoq8Cx63U2hQfjJB077AHrHfN2PkJu4DG86vSdtSzrZVDQmle331UxopLQvzDZ1mejfmSFbo6x1ZeTbo39PRpox4pzsfeUAM1Rf8H6y8OrdPZa7Gh6gRkiN2IcwdBnXI4-Q6HX5QqiVzr2O4zEnNsqMFfsFA3aO05hnp7EYRWHgS6EgaQjfBirCoyerBkjFJTXynl76Jj4fK3-3KY4tw5EHplxkgAih7a9QTxy8SbRee8kh7fwrIGEO6CtgkM9v0XL7jBPtNtGTpqBRzw"
},
"requestContext": {
"authorizer": {
"claims": {
"sub": "231df9d7-0aab-4dsd-8389-d315d9daca7f",
"email_verified": "true",
"iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_an976DxVk",
"custom:first_key": "false",
"cognito:username": "231df9d7-0aab-4dsd-8389-d315d9daca7f",
"origin_jti": "8131rlpo-5123-436b-b199-41315d9d4487",
"aud": "r6315d9dt9sdls315d9d5h3cn",
"event_id": "f3dsp9d8-213e-4648-8f80-f8315d9dc84e",
"custom:name": "my_name",
"token_use": "id",
"auth_time": "1658148859",
"exp": "Mon Jul 18 09:23:17 UTC 2022",
"iat": "Mon Jul 18 08:23:17 UTC 2022",
"jti": "982sdafe-97rs-996l-i899-k315d9d09n7n",
"email": "jeff#amazon.com"
}
},
"extendedRequestId": "dSiT_dLdJdad9oP=",
"requestTime": "18/Jul/2022:08:23:27 +0000",
"requestTimeEpoch": 1658132607750,
"requestId": "387ss00s3-add0-62i9-l9s0-9a8dj8976dfa",
"identity": {
"cognitoIdentityPoolId": null,
"accountId": null,
"cognitoIdentityId": null,
"caller": null,
"sourceIp": "91.83.769.200",
"principalOrgId": null,
"accessKey": null,
"cognitoAuthenticationType": null,
"cognitoAuthenticationProvider": null,
"userArn": null,
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
"user": null
},
"domainName": "mskd8fpni2.execute-api.us-west-2.amazonaws.com",
"apiId": "mskds98ni2"
},
"body": "{\"name\":\"my_name\"}",
"isBase64Encoded": false
}
and the following fields being available in the context of the invocation:
{
"callbackWaitsForEmptyEventLoop": true,
"functionVersion": "$LATEST",
"functionName": "hello-world-jsHelloWorldFunction-kTdLswTRrkdS",
"memoryLimitInMB": "512",
"logGroupName": "/aws/lambda/hello-world-jsHelloWorldFunction-kTdLswTRrkdS",
"logStreamName": "2022/07/15/[$LATEST]95edi84719944bdi84a6cdi8451di849",
"invokedFunctionArn": "arn:aws:lambda:us-west-2:598763214571:function:hello-world-jsHelloWorldFunction-kTdLswTRrkdS",
"awsRequestId": "d8s57juq-3g39-49sk-8625-5849sk9be44I"
}
Notice the following things:
The Cognito User's IdentityId is not available in either the event or the context
Other information about the Cognito User is available in the event (email, sub, custom attributes, etc.)
The request invocation time is available in the event (the time that the lambda function was invoked which is available in event.requestContext.requestTime and event.requestContext.requestTimeEpoch)
Note: Please leave a comment if you are having a hard time setting up an API-Gateway trigger with a Cognito User Pool Authorizer for your Lambda Function, if people are interested I will add instructions on how to accomplish this.
Direct invocation using a Cognito User's credentials and the AWS SDK for JavaScript v3
The IdentityId can be obtained in the following way:
exports.handler = async (event,context) => {
var identity_ID = context.identity.cognitoIdentityId
console.log(identity_ID)
// us-west-2:d393294b-ff23-43t6-d8s5-59876321457d
const response = {
statusCode: 200,
headers: {
"Access-Control-Allow-Headers": "*",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods" : "OPTIONS,POST,GET,PUT"
},
body:JSON.stringify(identity_ID)
};
return response;
}
Why?
Directly invoking a Lambda Function using the AWS SDK for Javascript v3 and a Cognito User's credentials will result in no additional information being available in the event of the invocation:
{
"name": "my_name"
}
however, the IdentityId is available in the context of the invocation:
{
"callbackWaitsForEmptyEventLoop": true,
"functionVersion": "$LATEST",
"functionName": "hello-world-jsHelloWorldFunction-kTdLswTRrkdS",
"memoryLimitInMB": "512",
"logGroupName": "/aws/lambda/hello-world-jsHelloWorldFunction-kTdLswTRrkdS",
"logStreamName": "2022/07/15/[$LATEST]95edi84719944bdi84a6cdi8451di849",
"identity": {
"cognitoIdentityId": "us-west-2:d393294b-ff23-43t6-d8s5-59876321457d",
"cognitoIdentityPoolId": "us-west-2:7y812k8a-1w26-8dk4-84iw-2kdi849sku72"
},
"invokedFunctionArn": "arn:aws:lambda:us-west-2:598763214571:function:hello-world-jsHelloWorldFunction-kTdLswTRrkdS",
"awsRequestId": "d8s57juq-3g39-49sk-8625-5849sk9be44I"
}
Notice the following things:
The Cognito User's IdentityId is available in context.identity.cognitoIdentityId
Additional information about the Cognito User is not available in the event or the context (email, sub, custom attributes, etc.)
The request invocation time is not available in either the event or context
Note: To directly invoke a Lambda Function using a Cognito User's credentials and the AWS SDK for JavaScript v3, you need to add a custom IAM Permission to the IAM Role assumed by authenticated Users in your Cognito User Pool. To do this:
Go to IAM -> Roles, and find the role for your user pool such as amplify-myapp-prod-12987-authRole
Click "Add permissions"
Click "Create inline policy"
Click "JSON"
Insert the following policy and replace the Function ARN with the ARN of your Lambda Function:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunctionUrl",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:598763214571:function:hello-world-jsHelloWorldFunction-kTdLswTRrkdS"
]
}
]
}
Click "Review Policy"
Save the policy
Invocation methods that don't currently support authenticating users from a Cognito User Pool:
Invoking with caller credentials (this only works if you are using AWS_IAM authentication, not a Cognito User Pool Authorizer)
Invoking via a function URL (this only supports AWS_IAM authentication as well)
My observation is the following.
If you call the API Gateway with a signed Request where you actually provide the accesskey, secret and sessionToken which you can extract via (JS SDK):
AWS.config.credentials = new AWS.CognitoIdentityCredentials(...)
AWS.config.credentials.get(..)
And assumed that your lambda is called from API-Gateway via LAMBDA_PROXY and Authorizer AWS_IAM. You can only access user stuff in lambda with:
exports.create = function (event, context) {
secdata = event.requestContext.identity.cognitoAuthenticationProvider;
}
Then you will get, apart from other stuff, the "sub" of the cognito UserPool User. So if you really want to know more about the user, it seems you need to ask AWS again via SDK call.
For a Python Lambda, invoked via Javascript AWS SDK / Cognito / Amplify...
https://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
context.identity.cognito_identity_id
It should look something like this:
{aws region}:{ GUID }
Assuming you are using an Identity Pool, this will return the Cognito Federated Identity, that can be used for fine grained access control. This is safer than relying on the Javascript payload containing the identity id.
The Cognito Identity Pool Auth Role will need to have Lambda:InvokeFunction policy, otherwise the user won't be able to invoke the function in the first place.
Edit: This works when calling the Lambda function DIRECTLY, not via API Gateway.
Edit2: The Cognito user is allowed to call the lambda because it is explicitly set in the IAM Cognito Auth role.
I was using Kotlin and my Lambda handler was
override fun handleRequest(event: APIGatewayProxyRequestEvent, context: Context): APIGatewayProxyResponseEvent
But event.requestContext had no authorizer. The solution was to upgrade the dependency in build.gradle from
com.amazonaws:aws-lambda-java-events:2.1.0 to com.amazonaws:aws-lambda-java-events:2.2.7. After that, I got the username as follows.
val claims = requestContext.authorizer["claims"] as Map<String, String>
println(claims["cognito:username"])
println(claims["email"])