/
lambda_api_gw_authorizer.yaml
153 lines (147 loc) · 5.01 KB
/
lambda_api_gw_authorizer.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
LambdaFuncRoleForAuthorizer:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "lambda.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "LambdaExecutionPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "arn:aws:logs:*:*:*"
- Effect: Allow
Action:
- "lambda:InvokeFunction"
Resource: !GetAtt MyLambdaFunction.Arn
MyLambdaFunction:
Type: 'AWS::Serverless::Function'
Properties:
Runtime: python3.10
Handler: index.handler
Events:
getEndpoint:
Type: Api
Properties:
RestApiId: !Ref MyApi
Path: /
Method: POST
InlineCode: |
def handler(event, context):
return {'body': 'Hello World!', 'statusCode': 200}
MyApi:
Type: 'AWS::Serverless::Api'
Properties:
Name: !Join [ "", [ "test-api-gw-","dev"] ]
StageName: 'prod'
# DefinitionBody:
# swagger: '2.0'
# info:
# title: 'My API'
# version: '1.0'
# paths:
# /hello:
# get:
# responses:
# '200':
# description: 'OK'
# x-amazon-apigateway-integration:
# httpMethod: GET
# type: AWS_PROXY
# uri:
# Fn::Sub: 'arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyLambdaFunction.Arn}/invocations'
Auth:
DefaultAuthorizer: APIGWAuthorizer
AddDefaultAuthorizerToCorsPreflight: false
Authorizers:
APIGWAuthorizer:
FunctionArn: !GetAtt AuthorizerForAPIGW.Arn
Identity:
ReAuthorizeEvery: 0
ResourcePolicy:
CustomStatements:
- Effect: "Allow"
Principal: "*"
Action: "execute-api:Invoke"
Resource: "execute-api:/*"
Condition:
StringEquals:
"aws:userid": !Sub "arn:aws:sts::${AWS::AccountId}:assumed-role/${LambdaFuncRoleForAuthorizer.Arn}/*"
MethodSettings:
- ResourcePath: '/*'
HttpMethod: '*'
MetricsEnabled: true
DataTraceEnabled: true
Tags:
what: hello
ApiGatewayLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: !Join [ "", [ "test-api-gw-log-grp-",!Ref MyApi,"/","dev"] ]
RetentionInDays: 30
Tags:
- Key: 'Environment'
Value: 'Production'
- Key: 'Owner'
Value: 'MyTeam'
AuthorizerForAPIGW:
Type: AWS::Serverless::Function
Properties:
FunctionName: "authorizer-for-api-gw"
Role: !GetAtt LambdaFuncRoleForAuthorizer.Arn
Handler: src/index.handler
Runtime: nodejs16.x
MemorySize: 320
Timeout: 20
InlineCode: |
exports.handler = function(event, context, callback) {
var token = event.authorizationToken;
switch (token) {
case 'allow':
callback(null, generatePolicy('user', 'Allow', event.methodArn));
break;
case 'deny':
callback(null, generatePolicy('user', 'Deny', event.methodArn));
break;
case 'unauthorized':
callback("Unauthorized"); // Return a 401 Unauthorized response
break;
default:
callback("Error: Invalid token"); // Return a 500 Invalid token response
}
};
var generatePolicy = function(principalId, effect, resource) {
var authResponse = {};
authResponse.principalId = principalId;
if (effect && resource) {
var policyDocument = {};
policyDocument.Version = '2012-10-17';
policyDocument.Statement = [];
var statementOne = {};
statementOne.Action = 'execute-api:Invoke';
statementOne.Effect = effect;
statementOne.Resource = resource;
policyDocument.Statement[0] = statementOne;
authResponse.policyDocument = policyDocument;
console.log("statement",statementOne);
console.log("policyDocument",policyDocument);
}
authResponse.context = {
"stringKey": "stringval",
"numberKey": 123,
"booleanKey": true
};
return authResponse;
}