A quick'n'dirty exploration of Lambda Authorisers for Amazon API Gateway HTTP APIs
This is all utterly ridiculous in its approach to security, it is for exploration only! 🖖
I've done some. But not much, like creating then deleting resources and creating them again (although see Log Groups 🗑) and there have been hiccups deleting due to seemingly circular dependencies, deleting again whilst not retaining resources seems to work fine...
Simply, the API Gateway is configured expect a header (Authorization
) containing an authorisation value, if it is missing, expect a 401
, but if the correct header is present, it is passed to the authoriser function, which validates the value and returns an outcome. If the request is authorised, the backend function is invoked and returns the entire event
object (see AWS documentation) which is stupidly insecure, but definitely handy for testing. If the request is not authorised, a 403
is returned.
STACK_NAME=APIGatewayHTTPAPIWithLambdaAuthoriser
echo "To override parameters, add --parameters ParameterKey=KEY,ParameterValue=VALUE to the create-stack" > /dev/null
aws cloudformation create-stack --stack-name ${STACK_NAME} --template-body file://lambda_authoriser.yml --capabilities CAPABILITY_NAMED_IAM --no-cli-pager
aws cloudformation wait stack-create-complete --stack-name ${STACK_NAME}
Note that this was written whilst supping Jack Daniels one evening, hence the code for the two Lambda functions are embedded in the template... I make no apologies for the readability squint that may require 🥃
Also, --capabilities CAPABILITY_NAMED_IAM
, again, no apologies, I liked named IAM roles and polices, what can I say? 😏
The Log Groups are set to Retain
to prevent logging data vanishing if the stack is deleted, but this does present a problem (which I'm sure has an elegant solution) when creating the stack after a deletion, because the resource is still there, so, adjust the following if you modify the API and/or function names, but this might be handy:
for log_group in /api/LambdaAuthoriser/test /aws/lambda/authoriser /aws/lambda/backend; do
aws logs delete-log-group --log-group-name ${log_group}
done
For testing, curl
is nice and easy...
URL=$(aws cloudformation describe-stacks --stack-name ${STACK_NAME} --query "Stacks[?StackName=='APIGatewayHTTPAPIWithLambdaAuthoriser'][].Outputs[?OutputKey=='URL'].OutputValue" --output text --no-cli-pager)
curl -H "Authorization: correct-horse:battery/staple" ${URL}
URL=$(aws cloudformation describe-stacks --stack-name ${STACK_NAME} --query "Stacks[?StackName=='APIGatewayHTTPAPIWithLambdaAuthoriser'][].Outputs[?OutputKey=='URL'].OutputValue" --output text --no-cli-pager)
curl ${URL}
URL=$(aws cloudformation describe-stacks --stack-name ${STACK_NAME} --query "Stacks[?StackName=='APIGatewayHTTPAPIWithLambdaAuthoriser'][].Outputs[?OutputKey=='URL'].OutputValue" --output text --no-cli-pager)
curl -H "Authorization: wrong-aardvark:capacitor/nail" ${URL}
URL=$(aws cloudformation describe-stacks --stack-name ${STACK_NAME} --query "Stacks[?StackName=='APIGatewayHTTPAPIWithLambdaAuthoriser'][].Outputs[?OutputKey=='URL'].OutputValue" --output text --no-cli-pager)
curl -H "Authorization: random-horse:battery/staple" ${URL}
DO NOT USE THIS NONSENSE FOR ANYTHING OTHER THAN LEARNING! 🔓