Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::ApiGateway::Authorizer

The AWS::ApiGateway::Authorizer resource creates an authorization layer that Amazon API Gateway (API Gateway) activates for methods that have authorization enabled. API Gateway activates the authorizer when a client calls those methods.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

Copy
{ "Type" : "AWS::ApiGateway::Authorizer", "Properties" : { "AuthorizerCredentials" : String, "AuthorizerResultTtlInSeconds" : Integer, "AuthorizerUri" : String, "IdentitySource" : String, "IdentityValidationExpression" : String, "Name" : String, "ProviderARNs" : [ String, ... ], "RestApiId" : String, "Type" : String } }

YAML

Copy
Type: "AWS::ApiGateway::Authorizer" Properties: AuthorizerCredentials: String AuthorizerResultTtlInSeconds: Integer AuthorizerUri: String IdentitySource: String IdentityValidationExpression: String Name: String ProviderARNs: - String RestApiId: String Type: String

Properties

AuthorizerCredentials

The credentials required for the authorizer. To specify an AWS Identity and Access Management (IAM) role that API Gateway assumes, specify the role's Amazon Resource Name (ARN). To use resource-based permissions on the AWS Lambda (Lambda) function, specify null.

Required: No

Type: String

Update requires: No interruption

AuthorizerResultTtlInSeconds

The time-to-live (TTL) period, in seconds, that specifies how long API Gateway caches authorizer results. If you specify a value greater than 0, API Gateway caches the authorizer responses. By default, API Gateway sets this property to 300. The maximum value is 3600, or 1 hour.

Required: No

Type: Integer

Update requires: No interruption

AuthorizerUri

The authorizer's Uniform Resource Identifier (URI). If you specify TOKEN for the authorizer's Type property, specify a Lambda function URI, which has the form arn:aws:apigateway:region:lambda:path/path. The path usually has the form /2015-03-31/functions/LambdaFunctionARN/invocations.

Required: Conditional. Specify this property for Lambda functions only.

Type: String

Update requires: No interruption

IdentitySource

The source of the identity in an incoming request. If you specify TOKEN for the authorizer's Type property, specify a mapping expression. The custom header mapping expression has the form method.request.header.name, where name is the name of a custom authorization header that clients submit as part of their requests.

Required: Yes

Type: String

Update requires: No interruption

IdentityValidationExpression

A validation expression for the incoming identity. If you specify TOKEN for the authorizer's Type property, specify a regular expression. API Gateway uses the expression to attempt to match the incoming client token, and proceeds if the token matches. If the token doesn't match, API Gateway responds with a 401 (unauthorized request) error code.

Required: No

Type: String

Update requires: No interruption

Name

The name of the authorizer.

Required: Yes

Type: String

Update requires: No interruption

ProviderARNs

A list of the Amazon Cognito user pool Amazon Resource Names (ARNs) to associate with this authorizer. For more information, see Use Amazon Cognito Your User Pool in the API Gateway Developer Guide.

Required: No

Type: List of strings

Update requires: No interruption

RestApiId

The ID of the RestApi resource in which API Gateway creates the authorizer.

Required: Yes

Type: String

Update requires: Replacement

Type

The type of authorizer:

  • For a custom authorizer that uses a Lambda function, use TOKEN.

  • For an authorizer that uses Amazon Cognito user pools, use COGNITO_USER_POOLS.

Required: Yes

Type: String

Update requires: No interruption

Return Value

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the authorizer's ID, such as abcde1.

For more information about using the Ref function, see Ref.

Examples

The following examples create a custom authorizer that is an AWS Lambda function.

JSON

Copy
"Authorizer": { "Type": "AWS::ApiGateway::Authorizer", "Properties": { "AuthorizerCredentials": { "Fn::GetAtt": ["LambdaInvocationRole", "Arn"] }, "AuthorizerResultTtlInSeconds": "300", "AuthorizerUri" : {"Fn::Join" : ["", [ "arn:aws:apigateway:", {"Ref" : "AWS::Region"}, ":lambda:path/2015-03-31/functions/", {"Fn::GetAtt" : ["LambdaAuthorizer", "Arn"]}, "/invocations" ]]}, "Type": "TOKEN", "IdentitySource": "method.request.header.Auth", "Name": "DefaultAuthorizer", "RestApiId": { "Ref": "RestApi" } } }

YAML

Copy
Authorizer: Type: "AWS::ApiGateway::Authorizer" Properties: AuthorizerCredentials: Fn::GetAtt: - "LambdaInvocationRole" - "Arn" AuthorizerResultTtlInSeconds: "300" AuthorizerUri: Fn::Join: - "" - - "arn:aws:apigateway:" - Ref: "AWS::Region" - ":lambda:path/2015-03-31/functions/" - Fn::GetAtt: - "LambdaAuthorizer" - "Arn" - "/invocations" Type: "TOKEN" IdentitySource: "method.request.header.Auth" Name: "DefaultAuthorizer" RestApiId: Ref: "RestApi"