Mixing
Is it possible to have an Authorizer Lambda and a Proxy Lambda in the API Gateway?
I am routing calls to my backend API, hosted on AWS through API Gateway. The client requests include a JWT token which is validated by a lambda authorizer that generates an IAM policy, which is then cached by the API Gateway, before hitting the API endpoints.
I would like to add another lambda function to do some verification on the request that is separate from the jwt token validation done by the lambda authorizer. Only if the verification succeeds, the client requests will be passed to the backend. Is such a scenario possible?
Thank you!
amazon-web-services aws-lambda aws-api-gateway
asked Jan 2 at 21:18
mohamedmohamed
165
add a comment |
I am routing calls to my backend API, hosted on AWS through API Gateway. The client requests include a JWT token which is validated by a lambda authorizer that generates an IAM policy, which is then cached by the API Gateway, before hitting the API endpoints.
I would like to add another lambda function to do some verification on the request that is separate from the jwt token validation done by the lambda authorizer. Only if the verification succeeds, the client requests will be passed to the backend. Is such a scenario possible?
Thank you!
amazon-web-services aws-lambda aws-api-gateway
asked Jan 2 at 21:18
mohamedmohamed
165
add a comment |
I am routing calls to my backend API, hosted on AWS through API Gateway. The client requests include a JWT token which is validated by a lambda authorizer that generates an IAM policy, which is then cached by the API Gateway, before hitting the API endpoints.
I would like to add another lambda function to do some verification on the request that is separate from the jwt token validation done by the lambda authorizer. Only if the verification succeeds, the client requests will be passed to the backend. Is such a scenario possible?
Thank you!
amazon-web-services aws-lambda aws-api-gateway
asked Jan 2 at 21:18
mohamedmohamed
165
I am routing calls to my backend API, hosted on AWS through API Gateway. The client requests include a JWT token which is validated by a lambda authorizer that generates an IAM policy, which is then cached by the API Gateway, before hitting the API endpoints.
I would like to add another lambda function to do some verification on the request that is separate from the jwt token validation done by the lambda authorizer. Only if the verification succeeds, the client requests will be passed to the backend. Is such a scenario possible?
Thank you!
amazon-web-services aws-lambda aws-api-gateway
amazon-web-services aws-lambda aws-api-gateway
asked Jan 2 at 21:18
mohamedmohamed
165
asked Jan 2 at 21:18
mohamedmohamed
165
asked Jan 2 at 21:18
mohamedmohamed
165
asked Jan 2 at 21:18
mohamedmohamed
165
asked Jan 2 at 21:18
mohamedmohamed
165
165
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Is it possible to have an Authorizer Lambda and a Proxy Lambda in the API Gateway?
Yes, it is possible to have API Gateway wire up an authorizer Lambda to a proxy Lambda, but, it sounds like you also want to have the proxy Lambda wired up to a separate Lambda. (Perhaps you're looking for "request filters" à la the Spring model.) API Gateway and Lambda do not support this structure as well as one would hope.
If you want to implement a service-level separation of concerns, you may want to look into Lambda to Lambda invocation. In the model you propose, this would look something like...
Gateway Authorizer λ -> Gateway Proxy λ (perform routing) -> "backend" λ
What this buys you is the ability to have custom routing and validation logic at the proxy level. However, I should issue the following notes of caution:
- The proxy Lambda will need to wait for the backend Lambda to finish processing to return a result back to the gateway, meaning that you will essentially be billed double for every request (this is simplified, since you may have different Lambda sizes with different billing rates, but you get my point)
- You are moving configuration out of the AWS Console and into a more managed solution. This may not be an issue in your case, but it is something to keep in mind as your application grows if the scalability of your routing solution becomes a bottleneck
One feature of AWS Lambda which you may be interested in is Lambda Layers. This will be more of a code-level separation than a service-level separation, which may or may not be sufficient in your case.
In practice, my team used the API Gateway Authorizer only to solve AuthN (as it sounds like you are doing). We then had each Lambda handle its specific input validation (query parameters, request bodies, etc.) and handle AuthZ by querying a custom service.
Hope this helps. Good luck :).
answered Jan 2 at 23:05
Ming SlogarMing Slogar
1,87311336
add a comment |
You can implement a Request Validation on API Gateway but it is mainly use to check that the HTTP call is "valid" ; meaning headers are present and non blank and the JSON payload follows a model.
answered Jan 2 at 21:58
Quentin RevelQuentin Revel
75539
add a comment |
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54013323%2fis-it-possible-to-have-an-authorizer-lambda-and-a-proxy-lambda-in-the-api-gatewa%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Is it possible to have an Authorizer Lambda and a Proxy Lambda in the API Gateway?
Yes, it is possible to have API Gateway wire up an authorizer Lambda to a proxy Lambda, but, it sounds like you also want to have the proxy Lambda wired up to a separate Lambda. (Perhaps you're looking for "request filters" à la the Spring model.) API Gateway and Lambda do not support this structure as well as one would hope.
If you want to implement a service-level separation of concerns, you may want to look into Lambda to Lambda invocation. In the model you propose, this would look something like...
Gateway Authorizer λ -> Gateway Proxy λ (perform routing) -> "backend" λ
What this buys you is the ability to have custom routing and validation logic at the proxy level. However, I should issue the following notes of caution:
- The proxy Lambda will need to wait for the backend Lambda to finish processing to return a result back to the gateway, meaning that you will essentially be billed double for every request (this is simplified, since you may have different Lambda sizes with different billing rates, but you get my point)
- You are moving configuration out of the AWS Console and into a more managed solution. This may not be an issue in your case, but it is something to keep in mind as your application grows if the scalability of your routing solution becomes a bottleneck
One feature of AWS Lambda which you may be interested in is Lambda Layers. This will be more of a code-level separation than a service-level separation, which may or may not be sufficient in your case.
In practice, my team used the API Gateway Authorizer only to solve AuthN (as it sounds like you are doing). We then had each Lambda handle its specific input validation (query parameters, request bodies, etc.) and handle AuthZ by querying a custom service.
Hope this helps. Good luck :).
answered Jan 2 at 23:05
Ming SlogarMing Slogar
1,87311336
add a comment |
Is it possible to have an Authorizer Lambda and a Proxy Lambda in the API Gateway?
Yes, it is possible to have API Gateway wire up an authorizer Lambda to a proxy Lambda, but, it sounds like you also want to have the proxy Lambda wired up to a separate Lambda. (Perhaps you're looking for "request filters" à la the Spring model.) API Gateway and Lambda do not support this structure as well as one would hope.
If you want to implement a service-level separation of concerns, you may want to look into Lambda to Lambda invocation. In the model you propose, this would look something like...
Gateway Authorizer λ -> Gateway Proxy λ (perform routing) -> "backend" λ
What this buys you is the ability to have custom routing and validation logic at the proxy level. However, I should issue the following notes of caution:
- The proxy Lambda will need to wait for the backend Lambda to finish processing to return a result back to the gateway, meaning that you will essentially be billed double for every request (this is simplified, since you may have different Lambda sizes with different billing rates, but you get my point)
- You are moving configuration out of the AWS Console and into a more managed solution. This may not be an issue in your case, but it is something to keep in mind as your application grows if the scalability of your routing solution becomes a bottleneck
One feature of AWS Lambda which you may be interested in is Lambda Layers. This will be more of a code-level separation than a service-level separation, which may or may not be sufficient in your case.
In practice, my team used the API Gateway Authorizer only to solve AuthN (as it sounds like you are doing). We then had each Lambda handle its specific input validation (query parameters, request bodies, etc.) and handle AuthZ by querying a custom service.
Hope this helps. Good luck :).
answered Jan 2 at 23:05
Ming SlogarMing Slogar
1,87311336
add a comment |
Is it possible to have an Authorizer Lambda and a Proxy Lambda in the API Gateway?
Yes, it is possible to have API Gateway wire up an authorizer Lambda to a proxy Lambda, but, it sounds like you also want to have the proxy Lambda wired up to a separate Lambda. (Perhaps you're looking for "request filters" à la the Spring model.) API Gateway and Lambda do not support this structure as well as one would hope.
If you want to implement a service-level separation of concerns, you may want to look into Lambda to Lambda invocation. In the model you propose, this would look something like...
Gateway Authorizer λ -> Gateway Proxy λ (perform routing) -> "backend" λ
What this buys you is the ability to have custom routing and validation logic at the proxy level. However, I should issue the following notes of caution:
- The proxy Lambda will need to wait for the backend Lambda to finish processing to return a result back to the gateway, meaning that you will essentially be billed double for every request (this is simplified, since you may have different Lambda sizes with different billing rates, but you get my point)
- You are moving configuration out of the AWS Console and into a more managed solution. This may not be an issue in your case, but it is something to keep in mind as your application grows if the scalability of your routing solution becomes a bottleneck
One feature of AWS Lambda which you may be interested in is Lambda Layers. This will be more of a code-level separation than a service-level separation, which may or may not be sufficient in your case.
In practice, my team used the API Gateway Authorizer only to solve AuthN (as it sounds like you are doing). We then had each Lambda handle its specific input validation (query parameters, request bodies, etc.) and handle AuthZ by querying a custom service.
Hope this helps. Good luck :).
answered Jan 2 at 23:05
Ming SlogarMing Slogar
1,87311336
Is it possible to have an Authorizer Lambda and a Proxy Lambda in the API Gateway?
Yes, it is possible to have API Gateway wire up an authorizer Lambda to a proxy Lambda, but, it sounds like you also want to have the proxy Lambda wired up to a separate Lambda. (Perhaps you're looking for "request filters" à la the Spring model.) API Gateway and Lambda do not support this structure as well as one would hope.
If you want to implement a service-level separation of concerns, you may want to look into Lambda to Lambda invocation. In the model you propose, this would look something like...
Gateway Authorizer λ -> Gateway Proxy λ (perform routing) -> "backend" λ
What this buys you is the ability to have custom routing and validation logic at the proxy level. However, I should issue the following notes of caution:
- The proxy Lambda will need to wait for the backend Lambda to finish processing to return a result back to the gateway, meaning that you will essentially be billed double for every request (this is simplified, since you may have different Lambda sizes with different billing rates, but you get my point)
- You are moving configuration out of the AWS Console and into a more managed solution. This may not be an issue in your case, but it is something to keep in mind as your application grows if the scalability of your routing solution becomes a bottleneck
One feature of AWS Lambda which you may be interested in is Lambda Layers. This will be more of a code-level separation than a service-level separation, which may or may not be sufficient in your case.
In practice, my team used the API Gateway Authorizer only to solve AuthN (as it sounds like you are doing). We then had each Lambda handle its specific input validation (query parameters, request bodies, etc.) and handle AuthZ by querying a custom service.
Hope this helps. Good luck :).
answered Jan 2 at 23:05
Ming SlogarMing Slogar
1,87311336
answered Jan 2 at 23:05
Ming SlogarMing Slogar
1,87311336
answered Jan 2 at 23:05
Ming SlogarMing Slogar
1,87311336
answered Jan 2 at 23:05
Ming SlogarMing Slogar
1,87311336
1,87311336
add a comment |
add a comment |
You can implement a Request Validation on API Gateway but it is mainly use to check that the HTTP call is "valid" ; meaning headers are present and non blank and the JSON payload follows a model.
answered Jan 2 at 21:58
Quentin RevelQuentin Revel
75539
add a comment |
You can implement a Request Validation on API Gateway but it is mainly use to check that the HTTP call is "valid" ; meaning headers are present and non blank and the JSON payload follows a model.
answered Jan 2 at 21:58
Quentin RevelQuentin Revel
75539
add a comment |
You can implement a Request Validation on API Gateway but it is mainly use to check that the HTTP call is "valid" ; meaning headers are present and non blank and the JSON payload follows a model.
answered Jan 2 at 21:58
Quentin RevelQuentin Revel
75539
You can implement a Request Validation on API Gateway but it is mainly use to check that the HTTP call is "valid" ; meaning headers are present and non blank and the JSON payload follows a model.
answered Jan 2 at 21:58
Quentin RevelQuentin Revel
75539
answered Jan 2 at 21:58
Quentin RevelQuentin Revel
75539
answered Jan 2 at 21:58
Quentin RevelQuentin Revel
75539
answered Jan 2 at 21:58
Quentin RevelQuentin Revel
75539
75539
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54013323%2fis-it-possible-to-have-an-authorizer-lambda-and-a-proxy-lambda-in-the-api-gatewa%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
