Class CfnAuthorizer
- All Implemented Interfaces:
IConstruct
,IDependable
,IInspectable
,software.amazon.jsii.JsiiSerializable
,software.constructs.IConstruct
AWS::ApiGateway::Authorizer
.
The AWS::ApiGateway::Authorizer
resource creates an authorization layer that API Gateway activates for methods that have authorization enabled. API Gateway activates the authorizer when a client calls those methods.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import software.amazon.awscdk.services.apigateway.*; CfnAuthorizer cfnAuthorizer = CfnAuthorizer.Builder.create(this, "MyCfnAuthorizer") .name("name") .restApiId("restApiId") .type("type") // the properties below are optional .authorizerCredentials("authorizerCredentials") .authorizerResultTtlInSeconds(123) .authorizerUri("authorizerUri") .authType("authType") .identitySource("identitySource") .identityValidationExpression("identityValidationExpression") .providerArns(List.of("providerArns")) .build();
-
Nested Class Summary
Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode
Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IConstruct
IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IInspectable
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
The CloudFormation resource type name for this resource class. -
Constructor Summary
ModifierConstructorDescriptionCfnAuthorizer
(Construct scope, String id, CfnAuthorizerProps props) Create a newAWS::ApiGateway::Authorizer
.protected
CfnAuthorizer
(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protected
CfnAuthorizer
(software.amazon.jsii.JsiiObjectRef objRef) -
Method Summary
Modifier and TypeMethodDescriptionThe ID for the authorizer.Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer.The TTL in seconds of cached authorizer results.Specifies the authorizer's Uniform Resource Identifier (URI).Optional customer-defined field, used in OpenAPI imports and exports without functional impact.The identity source for which authorization is requested.A validation expression for the incoming identity token.getName()
The name of the authorizer.A list of the Amazon Cognito user pool ARNs for theCOGNITO_USER_POOLS
authorizer.The string identifier of the associated RestApi.getType()
The authorizer type.void
inspect
(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.renderProperties
(Map<String, Object> props) void
setAuthorizerCredentials
(String value) Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer.void
The TTL in seconds of cached authorizer results.void
setAuthorizerUri
(String value) Specifies the authorizer's Uniform Resource Identifier (URI).void
setAuthType
(String value) Optional customer-defined field, used in OpenAPI imports and exports without functional impact.void
setIdentitySource
(String value) The identity source for which authorization is requested.void
A validation expression for the incoming identity token.void
The name of the authorizer.void
setProviderArns
(List<String> value) A list of the Amazon Cognito user pool ARNs for theCOGNITO_USER_POOLS
authorizer.void
setRestApiId
(String value) The string identifier of the associated RestApi.void
The authorizer type.Methods inherited from class software.amazon.awscdk.core.CfnResource
addDeletionOverride, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, isCfnResource, shouldSynthesize, toString, validateProperties
Methods inherited from class software.amazon.awscdk.core.CfnRefElement
getRef
Methods inherited from class software.amazon.awscdk.core.CfnElement
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId
Methods inherited from class software.amazon.awscdk.core.Construct
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize, validate
Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Field Details
-
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
-
-
Constructor Details
-
CfnAuthorizer
protected CfnAuthorizer(software.amazon.jsii.JsiiObjectRef objRef) -
CfnAuthorizer
protected CfnAuthorizer(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
CfnAuthorizer
@Stability(Stable) public CfnAuthorizer(@NotNull Construct scope, @NotNull String id, @NotNull CfnAuthorizerProps props) Create a newAWS::ApiGateway::Authorizer
.- Parameters:
scope
-- scope in which this resource is defined.
id
-- scoped id of the resource.
props
-- resource properties.
-
-
Method Details
-
inspect
Examines the CloudFormation resource and discloses attributes.- Specified by:
inspect
in interfaceIInspectable
- Parameters:
inspector
-- tree inspector to collect and process attributes.
-
renderProperties
@Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String, Object> props) - Overrides:
renderProperties
in classCfnResource
- Parameters:
props
- This parameter is required.
-
getAttrAuthorizerId
The ID for the authorizer.For example:
abc123
. -
getCfnProperties
- Overrides:
getCfnProperties
in classCfnResource
-
getName
The name of the authorizer. -
setName
The name of the authorizer. -
getRestApiId
The string identifier of the associated RestApi. -
setRestApiId
The string identifier of the associated RestApi. -
getType
The authorizer type.Valid values are
TOKEN
for a Lambda function using a single authorization token submitted in a custom header,REQUEST
for a Lambda function using incoming request parameters, andCOGNITO_USER_POOLS
for using an Amazon Cognito user pool. -
setType
The authorizer type.Valid values are
TOKEN
for a Lambda function using a single authorization token submitted in a custom header,REQUEST
for a Lambda function using incoming request parameters, andCOGNITO_USER_POOLS
for using an Amazon Cognito user pool. -
getAuthorizerCredentials
Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer.To specify an IAM role for API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null.
-
setAuthorizerCredentials
Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer.To specify an IAM role for API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null.
-
getAuthorizerResultTtlInSeconds
The TTL in seconds of cached authorizer results.If it equals 0, authorization caching is disabled. If it is greater than 0, API Gateway will cache authorizer responses. If this field is not set, the default value is 300. The maximum value is 3600, or 1 hour.
-
setAuthorizerResultTtlInSeconds
The TTL in seconds of cached authorizer results.If it equals 0, authorization caching is disabled. If it is greater than 0, API Gateway will cache authorizer responses. If this field is not set, the default value is 300. The maximum value is 3600, or 1 hour.
-
getAuthorizerUri
Specifies the authorizer's Uniform Resource Identifier (URI).For
TOKEN
orREQUEST
authorizers, this must be a well-formed Lambda function URI, for example,arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:{account_id}:function:{lambda_function_name}/invocations
. In general, the URI has this formarn:aws:apigateway:{region}:lambda:path/{service_api}
, where{region}
is the same as the region hosting the Lambda function,path
indicates that the remaining substring in the URI should be treated as the path to the resource, including the initial/
. For Lambda functions, this is usually of the form/2015-03-31/functions/[FunctionARN]/invocations
. -
setAuthorizerUri
Specifies the authorizer's Uniform Resource Identifier (URI).For
TOKEN
orREQUEST
authorizers, this must be a well-formed Lambda function URI, for example,arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:{account_id}:function:{lambda_function_name}/invocations
. In general, the URI has this formarn:aws:apigateway:{region}:lambda:path/{service_api}
, where{region}
is the same as the region hosting the Lambda function,path
indicates that the remaining substring in the URI should be treated as the path to the resource, including the initial/
. For Lambda functions, this is usually of the form/2015-03-31/functions/[FunctionARN]/invocations
. -
getAuthType
Optional customer-defined field, used in OpenAPI imports and exports without functional impact. -
setAuthType
Optional customer-defined field, used in OpenAPI imports and exports without functional impact. -
getIdentitySource
The identity source for which authorization is requested.For a
TOKEN
orCOGNITO_USER_POOLS
authorizer, this is required and specifies the request header mapping expression for the custom header holding the authorization token submitted by the client. For example, if the token header name isAuth
, the header mapping expression ismethod.request.header.Auth
. For theREQUEST
authorizer, this is required when authorization caching is enabled. The value is a comma-separated string of one or more mapping expressions of the specified request parameters. For example, if anAuth
header, aName
query string parameter are defined as identity sources, this value ismethod.request.header.Auth, method.request.querystring.Name
. These parameters will be used to derive the authorization caching key and to perform runtime validation of theREQUEST
authorizer by verifying all of the identity-related request parameters are present, not null and non-empty. Only when this is true does the authorizer invoke the authorizer Lambda function, otherwise, it returns a 401 Unauthorized response without calling the Lambda function. The valid value is a string of comma-separated mapping expressions of the specified request parameters. When the authorization caching is not enabled, this property is optional. -
setIdentitySource
The identity source for which authorization is requested.For a
TOKEN
orCOGNITO_USER_POOLS
authorizer, this is required and specifies the request header mapping expression for the custom header holding the authorization token submitted by the client. For example, if the token header name isAuth
, the header mapping expression ismethod.request.header.Auth
. For theREQUEST
authorizer, this is required when authorization caching is enabled. The value is a comma-separated string of one or more mapping expressions of the specified request parameters. For example, if anAuth
header, aName
query string parameter are defined as identity sources, this value ismethod.request.header.Auth, method.request.querystring.Name
. These parameters will be used to derive the authorization caching key and to perform runtime validation of theREQUEST
authorizer by verifying all of the identity-related request parameters are present, not null and non-empty. Only when this is true does the authorizer invoke the authorizer Lambda function, otherwise, it returns a 401 Unauthorized response without calling the Lambda function. The valid value is a string of comma-separated mapping expressions of the specified request parameters. When the authorization caching is not enabled, this property is optional. -
getIdentityValidationExpression
A validation expression for the incoming identity token.For
TOKEN
authorizers, this value is a regular expression. ForCOGNITO_USER_POOLS
authorizers, API Gateway will match theaud
field of the incoming token from the client against the specified regular expression. It will invoke the authorizer's Lambda function when there is a match. Otherwise, it will return a 401 Unauthorized response without calling the Lambda function. The validation expression does not apply to theREQUEST
authorizer. -
setIdentityValidationExpression
A validation expression for the incoming identity token.For
TOKEN
authorizers, this value is a regular expression. ForCOGNITO_USER_POOLS
authorizers, API Gateway will match theaud
field of the incoming token from the client against the specified regular expression. It will invoke the authorizer's Lambda function when there is a match. Otherwise, it will return a 401 Unauthorized response without calling the Lambda function. The validation expression does not apply to theREQUEST
authorizer. -
getProviderArns
A list of the Amazon Cognito user pool ARNs for theCOGNITO_USER_POOLS
authorizer.Each element is of this format:
arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}
. For aTOKEN
orREQUEST
authorizer, this is not defined. -
setProviderArns
A list of the Amazon Cognito user pool ARNs for theCOGNITO_USER_POOLS
authorizer.Each element is of this format:
arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}
. For aTOKEN
orREQUEST
authorizer, this is not defined.
-