I have implemented a lambda authorizer and integrated it with a lambda proxy integration on the API Gateway.
When I test the authorizer from the API Gateway it works fine, however when I try to invoke the endpoints, on the second lambda, from Postman, the request seems to skip the authorizer and hits directly the second lambda.
I tried also to use the authorizer not only on the API level but also for every method in the API, but that didn't help either.
Since your Authorization is cached for 5 minutes, it does not invoke the authorizer every time you call your API.
Related
I have an issue with API Gateway (REST API) which use authorizer Lambda and usage plan at the same time.
The issue what I'm facing is there are two methods, lets call "A" and "B".
"A" method is using API key for protection, so you need to pass the API key in your request and if its correct you authorized to perform an operation, if not you get a "forbidden" message.
"B" method is using an authorizer Lambda for authorization and don't use API key. The problem is the following: when the authorizer Lambda denies the access for the API with the policy, the API continues the execution because its find the Usage plan and because "B" method don't use API key, it starts the execution.
When I'm not passing token in the request I get the "Unauthorized" message but if the request contains for example a wrong token, the execution starts even though the authorizer Lambda denies the execution.
Is there any way to resolve that conflict to keep the "A" method with API key and "B" method with custom authorization?
CloudWatch logs after an execution with a wrong token
I'm creating an Axios call to an API hosted on APIGateway with no Authorizer etc. I'm able to access the lambda via a direct postman request and also on the service lambda when it's ran in offline mode, such as:
https://localhost:3000/my/api
However when i run it on the dev stage:
12345.execute-api.eu-west-1.amazonaws.com/my/api
I'm getting a a 403: Forbidden error thrown back.
I've seen comments from other posts where they needed to append the staging environment at the end of the request but this isn't the case in this instance as it's just creating a default endpoint and all other lambdas within this service can be hit when ran on dev, it's just this one that makes a call to another APIGateway API.
The calling API is behind an authorizer with a wildcard policy so should allow all traffic and I'd like to reiterate, it works on both localhost and a direct call to the invoked api.
I'm wondering if it's something to do with the policies attached to it but I've set them all to be wildcarded as well so it should allow everything.
Any ideas would be really helpful, I've been wracking my brains over this all day.
Edit: The authorizer has no policy denying access to the API, same as the resource policy.
There are two common reasons why an API Gateway REST API with a Lambda authorizer returns a 403 error:
The Lambda authorizer function returns an AWS Identity and Access Management (IAM) policy document that explicitly denies access to the caller.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html
The second reason will be, The API has an attached resource policy that explicitly denies access to the caller.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html
If both are in place, please update the question with those details.
The scenario is :
I have a Rest api gateway which when triggered invokes a lambda which processes the request and returns the repsonse.
This api endpoint is public.
I have another lambda which will call this API gateway/endpoint and obtain response from it.
Now the queries :
I am directly calling the invoke url of api just like any other api. So is this the right way to do so?
When I put the invoke url in browser address bar, it is giving missing authentication token.
How to actually call the url in calling lambda, i mean how to pass tokens; in Node.js ?
Thanks 😊
Well, the questions are quite wide enough. I'm trying to answer as much as possible.
First, the design you are following of Rest API -> Lambda, it is called 'Integration Type' is 'Lambda function' and use 'Use Lambda Proxy integration'.
Please take a look on the documentation here and an example here
Go through the document I believe you will understand in-out of this model. At high level, this model API Gateway is passing through request and response and you (Lambda) will handle everything.
Question 1:
I am directly calling the invoke url of api just like any other api. So is this the right way to do so?
[Answer] There is nothing wrong with this model. And yes, you can call this API (Lambda proxy) as any Rest API.
Question 2:
When I put the invoke url in browser address bar, it is giving missing authentication token
[Answer] Please check the setting of your API. As the below screen-shot, my api is using Cognito as Authorizer. It means consumers need to provide 'Token' (oAuth2 for example) when calling the API. You can use either Lambda authorizer or Cognito authroizer. It's up to you.
And if you are not requiring any authorizer, you can set it as NONE so there is no authentication token require for your API.
In short, the message you are getting now it means your API is having an 'Authorizer' and you are not sending token along with request.
Question 3:
How to actually call the url in calling lambda, i mean how to pass tokens; in Node.js ?
It is pretty common. You can google it like 'oAuth2 in Node.js', it will give you tons of examples
https://resources.infosecinstitute.com/securing-web-apis-part-ii-creating-an-api-authenticated-with-oauth-2-in-node-js/
https://stormpath.com/blog/talking-to-oauth2-services-with-nodejs
I hope it helps. Otherwise, leave your comments and questions.
Thanks,
I am brand new to AWS API Gateway/AWS Lambda/AWS Amplify. I have a React Native application that I am trying to use AWS Amplify to make an API call and issue a PUT request, which would then cause the API Gateway to invoke my AWS Lambda function. When I create the AWS Amplify API endpoint, I don't see a command line option to define a PUT method. The default is "Any", which works, but I would like to specify a PUT method specifically. When I add in a PUT method manually on the API Gateway website and then call it from my React Native front end, I get...
Error: Request failed with status code 500
Looking at the API Gateway responses, this is due to either an "Authorizer Configuration Error" or an "Authorizer Failure", so I am assuming the problem is not with my front end code but with the configuration of "authorizers" on the API Gateway. What are authorizers? How do they relate to making an API call? And what steps can I take to troubleshoot what the problem might be?
You can use a lambda, a Cognito User Pool or an IaM role as an Authorizer. The short version is that your API endpoints can either be open and public or have an Authorizer, if they have an authorizer then they have to be setup correctly. It is set through the API Gateway config for an endpoint in the Method Request section.
AWS Lambda authorizer info:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
AWS Cognito Info:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
I am fairly new to lambda and trying to wrap my head around it. I created a basic hello world function and invoked it through
aws lambda invoke
My question is
Dont I have to create an API gateway and expose the lambda function through the API gateway for it work.
How does aws lambda invoke if I have not created a gateway and exposed the function?
You do not have to necessarily create API gateway for invoking lambda function. Every lambda function is already available to be accessed via Amazon's Web Service using API:
POST /2015-03-31/functions/FunctionName/invocations?Qualifier=Qualifier HTTP/1.1
See http://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html for more details.
However, the above API expects that the request payload is signed using aws signature version 4 . The CLI call aws lambda invoke automatically takes care of that piece once you have configured valid access and secret keys.
The API Gateway in front of lambda allows you to add:
Custom resource names
Custom authentication schemes (even no authentication if desired)
Custom way of sending payload
and more...
In summary, API Gateway gives you more control over the API resource and can even abstract the user from internals of AWS API.