AWSCDK::APIGatewayv2Authorizers

11 types

AWS APIGatewayv2 Authorizers

Table of Contents

Introduction

API Gateway supports multiple mechanisms for controlling and managing access to your HTTP API. They are mainly classified into Lambda Authorizers, JWT authorizers, and standard AWS IAM roles and policies. More information is available at Controlling and managing access to an HTTP API.

HTTP APIs

Access control for HTTP APIs is managed by restricting which routes can be invoked via.

Authorizers and scopes can either be applied to the API, or specifically for each route.

Default Authorization

When using default authorization, all routes of the API will inherit the configuration.

In the example below, all routes will require the manage:books scope present in order to invoke the integration.

require 'aws-cdk-lib'


issuer = "https://test.us.auth0.com"
authorizer = AWSCDK::APIGatewayv2Authorizers::HttpJwtAuthorizer.new("DefaultAuthorizer", issuer, {
    jwt_audience: ["3131231"],
})

api = AWSCDK::APIGatewayv2::HttpAPI.new(self, "HttpApi", {
    default_authorizer: authorizer,
    default_authorization_scopes: ["manage:books"],
})

Route Authorization

Authorization can also be configured for each Route. When a route authorization is configured, it takes precedence over default authorization.

The example below showcases default authorization, along with route authorization. It also shows how to remove authorization entirely for a route.

require 'aws-cdk-lib'


issuer = "https://test.us.auth0.com"
authorizer = AWSCDK::APIGatewayv2Authorizers::HttpJwtAuthorizer.new("DefaultAuthorizer", issuer, {
    jwt_audience: ["3131231"],
})

api = AWSCDK::APIGatewayv2::HttpAPI.new(self, "HttpApi", {
    default_authorizer: authorizer,
    default_authorization_scopes: ["read:books"],
})

api.add_routes({
    integration: AWSCDK::APIGatewayv2Integrations::HttpURLIntegration.new("BooksIntegration", "https://get-books-proxy.example.com"),
    path: "/books",
    methods: [AWSCDK::APIGatewayv2::HttpMethod::GET],
})

api.add_routes({
    integration: AWSCDK::APIGatewayv2Integrations::HttpURLIntegration.new("BooksIdIntegration", "https://get-books-proxy.example.com"),
    path: "/books/{id}",
    methods: [AWSCDK::APIGatewayv2::HttpMethod::GET],
})

api.add_routes({
    integration: AWSCDK::APIGatewayv2Integrations::HttpURLIntegration.new("BooksIntegration", "https://get-books-proxy.example.com"),
    path: "/books",
    methods: [AWSCDK::APIGatewayv2::HttpMethod::POST],
    authorization_scopes: ["write:books"],
})

api.add_routes({
    integration: AWSCDK::APIGatewayv2Integrations::HttpURLIntegration.new("LoginIntegration", "https://get-books-proxy.example.com"),
    path: "/login",
    methods: [AWSCDK::APIGatewayv2::HttpMethod::POST],
    authorizer: AWSCDK::APIGatewayv2::HttpNoneAuthorizer.new,
})

JWT Authorizers

JWT authorizers allow the use of JSON Web Tokens (JWTs) as part of OpenID Connect and OAuth 2.0 frameworks to allow and restrict clients from accessing HTTP APIs.

When configured, API Gateway validates the JWT submitted by the client, and allows or denies access based on its content.

The location of the token is defined by the identity_source which defaults to the HTTP Authorization header. However it also supports a number of other options. It then decodes the JWT and validates the signature and claims, against the options defined in the authorizer and route (scopes). For more information check the JWT Authorizer documentation.

Clients that fail authorization are presented with either 2 responses:

require 'aws-cdk-lib'


issuer = "https://test.us.auth0.com"
authorizer = AWSCDK::APIGatewayv2Authorizers::HttpJwtAuthorizer.new("BooksAuthorizer", issuer, {
    jwt_audience: ["3131231"],
})

api = AWSCDK::APIGatewayv2::HttpAPI.new(self, "HttpApi")

api.add_routes({
    integration: AWSCDK::APIGatewayv2Integrations::HttpURLIntegration.new("BooksIntegration", "https://get-books-proxy.example.com"),
    path: "/books",
    authorizer: authorizer,
})

User Pool Authorizer

User Pool Authorizer is a type of JWT Authorizer that uses a Cognito user pool and app client to control who can access your API. After a successful authorization from the app client, the generated access token will be used as the JWT.

Clients accessing an API that uses a user pool authorizer must first sign in to a user pool and obtain an identity or access token. They must then use this token in the specified identity_source for the API call. More information is available at using Amazon Cognito user pools as authorizer.

require 'aws-cdk-lib'


user_pool = AWSCDK::Cognito::UserPool.new(self, "UserPool")

authorizer = AWSCDK::APIGatewayv2Authorizers::HttpUserPoolAuthorizer.new("BooksAuthorizer", user_pool)

api = AWSCDK::APIGatewayv2::HttpAPI.new(self, "HttpApi")

api.add_routes({
    integration: AWSCDK::APIGatewayv2Integrations::HttpURLIntegration.new("BooksIntegration", "https://get-books-proxy.example.com"),
    path: "/books",
    authorizer: authorizer,
})

Lambda Authorizers

Lambda authorizers use a Lambda function to control access to your HTTP API. When a client calls your API, API Gateway invokes your Lambda function and uses the response to determine whether the client can access your API.

Lambda authorizers depending on their response, fall into either two types - Simple or IAM. You can learn about differences here.

If the Lambda function is in another account, you need to provide an IAM role to the authorizer that has permission to invoke the Lambda function.

require 'aws-cdk-lib'

# This function handles your auth logic
auth_handler = nil # AWSCDK::Lambda::Function

# This role will be used to invoke the Lambda function
role = nil # AWSCDK::IAM::Role


authorizer = AWSCDK::APIGatewayv2Authorizers::HttpLambdaAuthorizer.new("BooksAuthorizer", auth_handler, {
    response_types: [AWSCDK::APIGatewayv2Authorizers::HttpLambdaResponseType::SIMPLE],
    role: role,
})

api = AWSCDK::APIGatewayv2::HttpAPI.new(self, "HttpApi")

api.add_routes({
    integration: AWSCDK::APIGatewayv2Integrations::HttpURLIntegration.new("BooksIntegration", "https://get-books-proxy.example.com"),
    path: "/books",
    authorizer: authorizer,
})

IAM Authorizers

API Gateway supports IAM via the included HttpIamAuthorizer and grant syntax:

require 'aws-cdk-lib'

principal = nil # AWSCDK::IAM::AnyPrincipal


authorizer = AWSCDK::APIGatewayv2Authorizers::HttpIAMAuthorizer.new

http_api = AWSCDK::APIGatewayv2::HttpAPI.new(self, "HttpApi", {
    default_authorizer: authorizer,
})

routes = http_api.add_routes({
    integration: AWSCDK::APIGatewayv2Integrations::HttpURLIntegration.new("BooksIntegration", "https://get-books-proxy.example.com"),
    path: "/books/{book}",
})

routes[0].grant_invoke(principal)

WebSocket APIs

You can set an authorizer to your WebSocket API's $connect route to control access to your API.

Lambda Authorizer

Lambda authorizers use a Lambda function to control access to your WebSocket API. When a client connects to your API, API Gateway invokes your Lambda function and uses the response to determine whether the client can access your API.

require 'aws-cdk-lib'

# This function handles your auth logic
auth_handler = nil # AWSCDK::Lambda::Function

# This function handles your WebSocket requests
handler = nil # AWSCDK::Lambda::Function


authorizer = AWSCDK::APIGatewayv2Authorizers::WebSocketLambdaAuthorizer.new("Authorizer", auth_handler)

integration = AWSCDK::APIGatewayv2Integrations::WebSocketLambdaIntegration.new("Integration", handler)

AWSCDK::APIGatewayv2::WebSocketAPI.new(self, "WebSocketApi", {
    connect_route_options: {
        integration: integration,
        authorizer: authorizer,
    },
})

IAM Authorizer

IAM authorizers can be used to allow identity-based access to your WebSocket API.

require 'aws-cdk-lib'

# This function handles your connect route
connect_handler = nil # AWSCDK::Lambda::Function


web_socket_api = AWSCDK::APIGatewayv2::WebSocketAPI.new(self, "WebSocketApi")

web_socket_api.add_route("$connect", {
    integration: AWSCDK::APIGatewayv2Integrations::WebSocketLambdaIntegration.new("Integration", connect_handler),
    authorizer: AWSCDK::APIGatewayv2Authorizers::WebSocketIAMAuthorizer.new,
})

# Create an IAM user (identity)
user = AWSCDK::IAM::User.new(self, "User")

web_socket_arn = AWSCDK::Stack.of(self).format_arn({
    service: "execute-api",
    resource: web_socket_api.api_id,
})

# Grant access to the IAM user
user.attach_inline_policy(AWSCDK::IAM::Policy.new(self, "AllowInvoke", {
    statements: [
        AWSCDK::IAM::PolicyStatement.new({
            actions: ["execute-api:Invoke"],
            effect: AWSCDK::IAM::Effect::ALLOW,
            resources: [web_socket_arn],
        }),
    ],
}))

Import Issues

jsiirc.json file is missing during the stablization process of this module, which caused import issues for DotNet and Java users who attempt to use this module. Unfortunately, to guarantee backward compatibility, we cannot simply correct the namespace for DotNet or package for Java. The following outlines the workaround.

DotNet Namespace

Instead of the conventional namespace Amazon.CDK.AWS.Apigatewayv2.Authorizers, you would need to use the following namespace:

using Amazon.CDK.AwsApigatewayv2Authorizers;;

Java Package

Instead of conventional package import software.amazon.awscdk.services.apigatewayv2_authorizers.*, you would need to use the following package:

import software.amazon.awscdk.aws_apigatewayv2_authorizers.*;

// If you want to import a specific construct
import software.amazon.awscdk.aws_apigatewayv2_authorizers.WebSocketIamAuthorizer;

Export HTTP Authorizer Id

You can retrieve the authorizer's id once it has been bound to a route to export the value.

HttpAuthorizer.fromHttpAuthorizerAttributes

require 'aws-cdk-lib'

# This function handles your auth logic
auth_handler = nil # AWSCDK::Lambda::Function


authorizer = AWSCDK::APIGatewayv2Authorizers::HttpLambdaAuthorizer.new("BooksAuthorizer", auth_handler, {
    response_types: [AWSCDK::APIGatewayv2Authorizers::HttpLambdaResponseType::SIMPLE],
})

api = AWSCDK::APIGatewayv2::HttpAPI.new(self, "HttpApi")

api.add_routes({
    integration: AWSCDK::APIGatewayv2Integrations::HttpURLIntegration.new("BooksIntegration", "https://get-books-proxy.example.com"),
    path: "/books",
    authorizer: authorizer,
})

# You can only access authorizerId after it's been bound to a route
# In this example we expect use CfnOutput
AWSCDK::CfnOutput.new(self, "authorizerId", {value: authorizer.authorizer_id})
AWSCDK::CfnOutput.new(self, "authorizerType", {value: authorizer.authorization_type})

Import an existing HTTP Authorizer

If you want to import av existing HTTP Authorizer you simply provide the authorizer id and authorizer type used when the authorizer was created.

require 'aws-cdk-lib'


authorizer_id = AWSCDK::Fn.import_value("authorizerId")
authorizer_type = AWSCDK::Fn.import_value("authorizerType")

authorizer = AWSCDK::APIGatewayv2::HttpAuthorizer.from_http_authorizer_attributes(self, "HttpAuthorizer", {
    authorizer_id: authorizer_id,
    authorizer_type: authorizer_type,
})

API Reference

Classes 6

HttpIAMAuthorizerAuthorize HTTP API Routes with IAM. HttpJwtAuthorizerAuthorize Http Api routes on whether the requester is registered as part of an AWS Cognito HttpLambdaAuthorizerAuthorize Http Api routes via a lambda function. HttpUserPoolAuthorizerAuthorize Http Api routes on whether the requester is registered as part of an AWS Cognito WebSocketIAMAuthorizerAuthorize WebSocket API Routes with IAM. WebSocketLambdaAuthorizerAuthorize WebSocket Api routes via a lambda function.

Interfaces 4

HttpJwtAuthorizerPropsProperties to initialize HttpJwtAuthorizer. HttpLambdaAuthorizerPropsProperties to initialize HttpTokenAuthorizer. HttpUserPoolAuthorizerPropsProperties to initialize HttpUserPoolAuthorizer. WebSocketLambdaAuthorizerPropsProperties to initialize WebSocketTokenAuthorizer.

Enums 1

HttpLambdaResponseTypeSpecifies the type responses the lambda returns.