My Flask app users Facebook OAuth 2 for authorization and is deployed on API Gateway and Lambda with Zappa. The app needs to request an authorizer token and I think I need to use a custom authorizer for this as the normal lambda cannot make external requests. I have setup the resource and linked it to the custom authorizer and that to my authorizer lambda, but I am getting an error and the lambda authorizer does not appear to have been called. What am I doing wrong?
Thanks
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/endpoint+error.png
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/no+events+in+lambda+monitoring.png
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/custom+autorizer.png
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/api+gateway+resource+setup.png
Related
I have a lambda function with an authorizer sitting within an API gateway.
I notice that when I call the lambda function, on the first request the authorizer is invoked as expected, authorization passes, IAM role is assumed and grants access to the lambda function.
However, on subsequent requests, the authorizer is not invoked.
I assume this is due to authorization caching.
However, in the AWS console, in API gateway > Authorizers the authorizer has the following configuration:
Authorizer ID: iiii2l
Lambda Function
foo-authorizerV1-dev-authorizer (eu-west-1)
Lambda Invoke Role
arn:aws:iam::0000000:role/foo-authorizerV1-dev-AuthorizerRole-AAAAAAA
Lambda Event Payload
Request
Identity Sources
deviceID (header)
Authorization Caching
Authorization not cached
I would have thought Authorization Caching being set to Authorization not cached would mean that the authorizer would be invoked on every request.
Am I missing something here?
If caching is not enabled then API Gateway will call the authorizer on each request.
If you've made a change to the API Gateway in the console but haven't yet deployed the API it might seem like you have one thing configuration but behavior for another. I would check that the current configuration is deployed and retest.
How do you setup and access an AWS API Gateway without an authorizer?
I've created an API Gateway that I want to be publicly accessible. It will be used to perform it's own authorization. But when I try to access its invocation URL, it returns the error response:
{"message":"Missing Authentication Token"}
I assume this is because the GET method for my gateway has Authorization=None. However, I don't want to use either AWS's lambda or cognito authorizers.
How do I change that to not require any built-in authorizer?
I have an serverless application which uses AWS Cognito, Lambda, and API Gateway.
The user signs in using AWS Cognito (with external identity provider) for user authentication and authorization.
The API gateway uses Cognito Authorizer to secure access to the lambda function.
The initial use case is simple, any request sent to API Gateway need to be authenticated with Cognito, and they are authorized to invoke the lambda function. As long as they can sign in, they can invoke the lambda.
Now I want to change the authorization. Even if the user is able to authenticate with Cognito, they must contain certain scopes in order to be authorized to invoke the lambda. These scopes can be fetch or checked in an external authz service. Cognito authorizer on the API gateway do not allow me to implement custom logic to call external authz service.
What is the recommended way to handle this?
You can use lambda authorizer for this use case.
In your lambda you can first authenticate your incoming token (example) and once authentication is successful you can check authorization scopes using authz service.
I'm trying to implement Basic authentication, using this article as inspiration:
https://medium.com/#Da_vidgf/http-basic-auth-with-api-gateway-and-serverless-5ae14ad0a270
The application sets up as described:
WWW-Authenticate in the 401 response
Request Authorizer set up in the Authorizer section
Tie the authorizer to my endpoint, on the ANY method execution
I can test my custom authorizer using the Test feature under Authorizers successfully but when I call the API using curl (or anything else) there is no authentication. The authorizer lambda doesn't get called and there are no logs in CloudWatch.
Any idea where I could look next?
Remember to deploy API Gateway to apply settings before test.
To start off with, i am pretty new to AWS. Started with pretty basic API Gateway + Lambda integration. Below are my use cases.
Created a Lambda proxy Integration request with API Gateway, GET request which outputs the addition of 2 numbers passed through query parameters. Now if i access this API Gateway endpoint I am getting the desired result.
Now I have created custom authorizer, which is in turn a call to another lambda.
So a request will be validated by authorizer lambda prior hitting API Gateway endpoint. In this case authorizer is not invoked at all.
I have enabled Cloudwatch logs for API gateway & lambda, so below are issues i am facing,
Cloudwatch logs to API Gateway end point does not show the call to custom authorizer lambda.
Logs to end point lambda is seen correctly in lambda group, but unable to see the same for authorizer lambda.
I have followed the below AWS documentation nothing seems to help.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
Below is the API Gateway config. The authorizer configured is having a header token called 'Authorization', consumer of the API should provide the Authorization token while calling the endpoint, which is supposed to validated by Authorizer.
API Gateway Logs - Lambda configured was called directly without invoking Authorizer.
As mentioned by #Anup in the comments, you probably need to re-deploy the stage for the changes to take effect.
In my case I setup everything in terraform and couldn't figure out why the custom authenticater wasn't being called.
After adding variables to the deployment to trigger a redeployment, the custom authenticater was properly called as expected.
Make sure your lambda and gateway authorizer are correctly configured. A couple suggestions:
Verify if your lambda has the API gateway trigger. The trigger is created automatically when you assign your authorizer to a valid lambda function in the API gateway authorizer settings.
Verify if your lambda has a valid handler. The current assigned handler can be seen in your lambda's configuration page.
Make sure the Method Request Authorization of your resource is set to the correct authorizer
Deploy the gateway to guarantee the current API stage is using the displayed settings.
Even if your authorizer code doesn't work properly you should at least see an execution log in CloudWatch.
Just managed to solve the same problem. The request invoke authorizer sometimes but sometimes not.
When you create a custom authorizer, it automatically turns on the authorization caching. The default TTL is 300s.
https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html