I want to build a server-less system using AWS Labmda + API Gateway where I will have some public APIs and some other API for internal usage only (all will be implemented with Lambda functions and Node JS).
My question is specific on how to create those internal APIs which will NOT be exposed to the outside world but only to a handful of lambda functions.
I know all APIs defined in the Gateway are public. How can I manage the caller of the API to be only from my own recognized AWS resources (specifically my Lambda functions) ?
I am aware a possible answer will be to simply call the Lambda function directly and not via the API Gateway. This will of course work but the down side here is that it couples the implementation to AWS while I am trying to get a solution which constructed of Node micro-services calling each other via REST APIs.
Thanks.
As documented here:
To assign custom access permissions to the method, in the
Authorization Settings area, for Authorization Type, choose Edit, and
then choose AWS_IAM. Only IAM roles with the correct IAM policy
attached will be allowed to call this method.
Then you would just need to assign an appropriate IAM role to your Lambda function(s) in order to allow them to call those private API Gateway methods.
Related
I am deploying several AWS lambda functions that are accessed via AWS API Gateway. I want to restrict one of these functions so that it can't be accessed unless you are in a particular IP address range (our VPN), while allowing the rest of the functions to be open to anyone who calls them. Can I do this? If so how. I have seen several examples where restriction of access to a subset of ip's is done by configuration of the provider section of the serverless yaml. However that would affect all of my functions and I don't want to have any of my other functions affected.
Thank you!
IP based control to your API gateway can be done either by a WAF, or a custom Authoriser function, (might be called Lambda Authorizer now). See here for an example. You can specify a Lambda function in your serverless yaml for this authorizerFunc. There is support for this in serverless. For the endpoints you want protected from certain IPs put: authorizer: authorizerFunc in the events section, and leave the other endpoints which you want accessible to all alone.
I have a lambda function exposed via API gateway but when I try to request it using fetch it is saying that I am forbidden to access it. How do I allow my function to call another function via API gateway?
There can be multiple reasons for it.
Check whether your API gateway endpoint is open or not. While specifying trigger for lambda you must have selected one option for security. You can edit this in API gateway Method Execution tab under Authorization Settings, select Authorization : None and API key required: false
You might not have enabled CORS on your api and due to that your api is not available on cross regions.
Your api gateway is not having access to lambda function. You can do that by attaching IAM role to your API gateway API which can trigger your lambda function.
I have created a REST API using lambda and API gateway.
I want to give access for this API to another lambda function which is running in another AWS account.
I was thinking to create IAM based authorisation for this API. But I am not sure if this cross-AWS account based IAM authorisation is feasible?
Any better suggestions?
You can assume a role in the target account and then invoke the lambda directly using the temporary credentials. This method does not require an integration with API gateway.
You can also use IAM Authentication from anywhere if the API is publicly available. You will have to store the designated credentials.
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/
I want to publish my application and provide lambdas to other so that I want that on exporting the lambda package no one can get the lambda code.
You should create an API Gateway which will connect the application to your Lambda code. Give that API endpoint URL to the others and they will call your Lambda function through that. This way they cannot know what's going on in your Lambda code.
Ideal way is to use API gateway and use it as trigger for your Lambda and share that endpoint to the users.
However if you don't want that you should probably consider cross account access with cross account role (give permission to execute just the Lamnda you want to expose & setup trust relationship) . Let them assume this role and call this lambda.
My application uses Cognito user pools to restrict access so that each user may access their own personal folder read/write in a "private" bucket. In a "public" bucket it is the same, except that everyone has read access to everything and write access only to their own folder. This all works fine when accessed via the JavaScript S3 SDK.
I am now trying to implement access via the API Gateway talking to a Lambda function which accesses S3.
The problem is that it appears that the Cognito Userpool identity is not being used by the Lambda function. If I give the Lambda function role total S3 access then the function is able to access S3 fine and the function works. If however I have the role policies in place to restrict by Cognito Userpool ID as described above, the I get access denied.
It appears to me that the Userpool Cognito Identity is not what the Lambda function is using.
Can anyone suggest the correct configuration for this setup?
thanks
API Gateway and Lambda do not automatically support this use case.
The Lambda function is running with the identity of it's execution role, thus its context won't contain the identity attributes from the Cognito user pool. (The context object in the Lambda function contains the context from Lambda's perspective.)
API Gateway exposes the Cognito user pool identity information via $context.authorizer.claims variable within API Gateway. To access this information from within your Lambda function, you must modify your body mapping template in API Gateway to pass the desired data from $context.authorizer.claims to your Lambda function via the request body. You're Lambda function then reads this information from the request body like any other field.
In this scenario there is no mechanism to automatically restrict permissions to S3 buckets/object on a per Cognito-user basis. You could implement logic within your Lambda function to enforce it using custom code.